Optimize HttpSessionSecurityContextRepository

Closes gh-9387
5 years ago · 3116369f02
1 changed files with 7 additions and 7 deletions
--- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
@ -136,12 +136,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
				@@ -136,12 +136,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 				SaveContextOnUpdateOrErrorResponseWrapper.class);
 		Assert.state(responseWrapper != null, () -> "Cannot invoke saveContext on response " + response
 				+ ". You must use the HttpRequestResponseHolder.response after invoking loadContext");
-		// saveContext() might already be called by the response wrapper if something in
-		// the chain called sendError() or sendRedirect(). This ensures we only call it
-		// once per request.
-		if (!responseWrapper.isContextSaved()) {
-			responseWrapper.saveContext(context);
-		}
+		responseWrapper.saveContext(context);
 	}

 	@Override
@ -296,6 +291,8 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
				@@ -296,6 +291,8 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo

 		private final Authentication authBeforeExecution;

+		private boolean isSaveContextInvoked;
+
 		/**
 		 * Takes the parameters required to call <code>saveContext()</code> successfully
 		 * in addition to the request and the response object we are wrapping.
@ -339,6 +336,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
				@@ -339,6 +336,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 					// SEC-1587 A non-anonymous context may still be in the session
 					// SEC-1735 remove if the contextBeforeExecution was not anonymous
 					httpSession.removeAttribute(springSecurityContextKey);
+					this.isSaveContextInvoked = true;
 				}
 				if (this.logger.isDebugEnabled()) {
 					if (authentication == null) {
@ -358,6 +356,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
				@@ -358,6 +356,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 				// is set SEC-1561
 				if (contextChanged(context) || httpSession.getAttribute(springSecurityContextKey) == null) {
 					httpSession.setAttribute(springSecurityContextKey, context);
+					this.isSaveContextInvoked = true;
 					if (this.logger.isDebugEnabled()) {
 						this.logger.debug(LogMessage.format("Stored %s to HttpSession [%s]", context, httpSession));
 					}
@ -366,7 +365,8 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
				@@ -366,7 +365,8 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 		}

 		private boolean contextChanged(SecurityContext context) {
-			return context != this.contextBeforeExecution || context.getAuthentication() != this.authBeforeExecution;
+			return this.isSaveContextInvoked || context != this.contextBeforeExecution
+					|| context.getAuthentication() != this.authBeforeExecution;
 		}

 		private HttpSession createNewSessionIfAllowed(SecurityContext context) {