diff --git a/buildSrc/build.gradle b/buildSrc/build.gradle index ac78628d27..af9cd4b2b4 100644 --- a/buildSrc/build.gradle +++ b/buildSrc/build.gradle @@ -30,7 +30,7 @@ dependencies { // GAE dependencies { - compile 'com.google.appengine:appengine-tools-api:1.3.5' + compile 'com.google.appengine:appengine-tools-api:1.3.7' } task ide(type: Copy) { diff --git a/buildSrc/src/main/groovy/gae/GaePlugin.groovy b/buildSrc/src/main/groovy/gae/GaePlugin.groovy index e028d01b03..b131c8c316 100644 --- a/buildSrc/src/main/groovy/gae/GaePlugin.groovy +++ b/buildSrc/src/main/groovy/gae/GaePlugin.groovy @@ -20,7 +20,7 @@ class GaePlugin implements Plugin { project.gaeDeploy.dependsOn project.war project.war.doLast { - ant.unzip(src: project.war.archivePath, dest: explodedWar) + ant.unzip(src: project.war.archivePath, dest: explodedWar) } } } diff --git a/samples/gae/gae.gradle b/samples/gae/gae.gradle index 6c5bf73a48..06eee6e93d 100644 --- a/samples/gae/gae.gradle +++ b/samples/gae/gae.gradle @@ -2,7 +2,7 @@ apply plugin: 'war' apply plugin: 'jetty' apply plugin: 'gae' -gaeVersion="1.3.5" +gaeVersion="1.3.7" repositories { // Hibernate Validator @@ -15,8 +15,7 @@ repositories { configurations.runtime.exclude(group: 'ch.qos.logback') dependencies { - providedCompile 'javax.servlet:servlet-api:2.5@jar', - "com.google.appengine:appengine-api-1.0-sdk:$gaeVersion" + providedCompile 'javax.servlet:servlet-api:2.5@jar' compile project(':spring-security-core'), project(':spring-security-web'), @@ -25,11 +24,13 @@ dependencies { "org.springframework:spring-webmvc:$springVersion", "org.springframework:spring-context:$springVersion", "org.springframework:spring-context-support:$springVersion", + "com.google.appengine:appengine-api-1.0-sdk:$gaeVersion", 'javax.validation:validation-api:1.0.0.GA', 'org.hibernate:hibernate-validator:4.1.0.Final', "org.slf4j:slf4j-api:$slf4jVersion" runtime project(':spring-security-config'), + project(':spring-security-taglibs'), "org.slf4j:jcl-over-slf4j:$slf4jVersion", "org.slf4j:slf4j-jdk14:$slf4jVersion" testCompile "com.google.appengine:appengine-testing:$gaeVersion" diff --git a/samples/gae/src/main/java/samples/gae/security/GaeAuthenticationFilter.java b/samples/gae/src/main/java/samples/gae/security/GaeAuthenticationFilter.java index f8edd5e009..48d35fa3b4 100644 --- a/samples/gae/src/main/java/samples/gae/security/GaeAuthenticationFilter.java +++ b/samples/gae/src/main/java/samples/gae/security/GaeAuthenticationFilter.java @@ -24,6 +24,7 @@ import org.springframework.security.web.authentication.WebAuthenticationDetailsS import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken; import org.springframework.util.Assert; import org.springframework.web.filter.GenericFilterBean; +import samples.gae.users.GaeUser; /** * @author Luke Taylor @@ -39,10 +40,15 @@ public class GaeAuthenticationFilter extends GenericFilterBean { public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + User googleUser = UserServiceFactory.getUserService().getCurrentUser(); - if (authentication == null) { - User googleUser = UserServiceFactory.getUserService().getCurrentUser(); + if (authentication != null && !loggedInUserMatchesGaeUser(authentication, googleUser)) { + SecurityContextHolder.clearContext(); + authentication = null; + ((HttpServletRequest)request).getSession().invalidate(); + } + if (authentication == null) { if (googleUser != null) { logger.debug("Currently logged on to GAE as user " + googleUser); logger.debug("Authenticating to Spring Security"); @@ -72,6 +78,24 @@ public class GaeAuthenticationFilter extends GenericFilterBean { chain.doFilter(request, response); } + private boolean loggedInUserMatchesGaeUser(Authentication authentication, User googleUser) { + assert authentication != null; + + if (googleUser == null) { + // User has logged out of GAE but is still logged into application + return false; + } + + GaeUser gaeUser = (GaeUser)authentication.getPrincipal(); + + if (!gaeUser.getEmail().equals(googleUser.getEmail())) { + return false; + } + + return true; + + } + @Override public void afterPropertiesSet() throws ServletException { Assert.notNull(authenticationManager, "AuthenticationManager must be set");