Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-08 11:32:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1039: Corrected reference to security context key to match new value.

Browse Source
This commit is contained in:
Luke Taylor 2008-12-05 14:52:52 +00:00
parent a650b73550
commit fd7fc0c8a5
1 changed files with 23 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java
View File

@ -12,7 +12,7 @@ import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationTrustResolver; import org.springframework.security.AuthenticationTrustResolver;
import org.springframework.security.AuthenticationTrustResolverImpl; import org.springframework.security.AuthenticationTrustResolverImpl;
import org.springframework.security.concurrent.SessionRegistry; import org.springframework.security.concurrent.SessionRegistry;
import org.springframework.security.context.HttpSessionContextIntegrationFilter; import org.springframework.security.context.HttpSessionSecurityContextRepository;
import org.springframework.security.context.SecurityContext; import org.springframework.security.context.SecurityContext;
import org.springframework.security.context.SecurityContextHolder; import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.util.SessionUtils; import org.springframework.security.util.SessionUtils;
@ -20,10 +20,10 @@ import org.springframework.security.util.SessionUtils;
/** /**
* Detects that a user has been authenticated since the start of the request and starts a new session. * Detects that a user has been authenticated since the start of the request and starts a new session.
* <p> * <p>
* This is essentially a generalization of the functionality that was implemented for SEC-399. * This is essentially a generalization of the functionality that was implemented for SEC-399.
* Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used * Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used
* with Spring Security's concurrent session control. * with Spring Security's concurrent session control.
* *
* @author Martin Algesten * @author Martin Algesten
* @author Luke Taylor * @author Luke Taylor
* @since 2.0 * @since 2.0
@ -32,18 +32,18 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
//~ Static fields/initializers ===================================================================================== //~ Static fields/initializers =====================================================================================
static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied"; static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
//~ Instance fields ================================================================================================ //~ Instance fields ================================================================================================
private SessionRegistry sessionRegistry; private SessionRegistry sessionRegistry;
/** /**
* Indicates that the session attributes of the session to be invalidated * Indicates that the session attributes of the session to be invalidated
* should be migrated to the new session. Defaults to <code>true</code>. * should be migrated to the new session. Defaults to <code>true</code>.
*/ */
private boolean migrateSessionAttributes = true; private boolean migrateSessionAttributes = true;
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl(); private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain) protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException { throws IOException, ServletException {
@ -52,13 +52,13 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
chain.doFilter(request, response); chain.doFilter(request, response);
return; return;
} }
request.setAttribute(FILTER_APPLIED, Boolean.TRUE); request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
HttpSession session = request.getSession(); HttpSession session = request.getSession();
SecurityContext sessionSecurityContext = SecurityContext sessionSecurityContext =
(SecurityContext) session.getAttribute(HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY); (SecurityContext) session.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
if (sessionSecurityContext == null && isAuthenticated()) { if (sessionSecurityContext == null && isAuthenticated()) {
// The user has been authenticated during the current request, so do the session migration // The user has been authenticated during the current request, so do the session migration
startNewSessionIfRequired(request, response); startNewSessionIfRequired(request, response);
@ -66,32 +66,32 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
chain.doFilter(request, response); chain.doFilter(request, response);
} }
private boolean isAuthenticated() { private boolean isAuthenticated() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return authentication != null && !authenticationTrustResolver.isAnonymous(authentication); return authentication != null && !authenticationTrustResolver.isAnonymous(authentication);
} }
public void setMigrateSessionAttributes(boolean migrateSessionAttributes) { public void setMigrateSessionAttributes(boolean migrateSessionAttributes) {
this.migrateSessionAttributes = migrateSessionAttributes; this.migrateSessionAttributes = migrateSessionAttributes;
} }
public void setSessionRegistry(SessionRegistry sessionRegistry) { public void setSessionRegistry(SessionRegistry sessionRegistry) {
this.sessionRegistry = sessionRegistry; this.sessionRegistry = sessionRegistry;
} }
public int getOrder() { public int getOrder() {
return FilterChainOrder.SESSION_FIXATION_FILTER; return FilterChainOrder.SESSION_FIXATION_FILTER;
} }
/** /**
* Called when the a user wasn't authenticated at the start of the request but has been during it * Called when the a user wasn't authenticated at the start of the request but has been during it
* <p> * <p>
* A new session will be created, the session attributes copied to it (if * A new session will be created, the session attributes copied to it (if
* <tt>migrateSessionAttributes</tt> is set) and the sessionRegistry updated with the new session information. * <tt>migrateSessionAttributes</tt> is set) and the sessionRegistry updated with the new session information.
*/ */
protected void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response) { protected void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response) {
SessionUtils.startNewSessionIfRequired(request, migrateSessionAttributes, sessionRegistry); SessionUtils.startNewSessionIfRequired(request, migrateSessionAttributes, sessionRegistry);
} }
} }