diff --git a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java index 47e8be66e3..d1767856bb 100644 --- a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java +++ b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java @@ -12,6 +12,7 @@ * See the License for the specific language governing permissions and * limitations under the License. */ + package net.sf.acegisecurity.context; import org.apache.commons.logging.Log; @@ -36,7 +37,7 @@ import javax.servlet.http.HttpSession; * Populates the SecurityContextHolder with information obtained * from the HttpSession. *

- * + * *

* The HttpSession will be queried to retrieve the * SecurityContext that should be stored against the @@ -45,7 +46,7 @@ import javax.servlet.http.HttpSession; * SecurityContextHolder will be persisted back to the * HttpSession by this filter. *

- * + * *

* If a valid SecurityContext cannot be obtained from the * HttpSession for whatever reason, a fresh @@ -54,7 +55,7 @@ import javax.servlet.http.HttpSession; * method (which defaults to {@link * net.sf.acegisecurity.context.SecurityContextImpl}. *

- * + * *

* No HttpSession will be created by this filter if one does not * already exist. If at the end of the web request the @@ -66,12 +67,12 @@ import javax.servlet.http.HttpSession; * HttpSession creation, but automates the storage of changes * made to the ContextHolder. *

- * + * *

* This filter will only execute once per request, to resolve servlet container * (specifically Weblogic) incompatibilities. *

- * + * *

* If for whatever reason no HttpSession should ever be * created (eg this filter is only being used with Basic authentication or @@ -82,7 +83,7 @@ import javax.servlet.http.HttpSession; * designed to have no persistence of the Context between web * requests. *

- * + * *

* This filter MUST be executed BEFORE any authentication procesing mechanisms. * Authentication processing mechanisms (eg BASIC, CAS processing filters etc) @@ -96,9 +97,14 @@ import javax.servlet.http.HttpSession; */ public class HttpSessionContextIntegrationFilter implements InitializingBean, Filter { + //~ Static fields/initializers ============================================= + protected static final Log logger = LogFactory.getLog(HttpSessionContextIntegrationFilter.class); private static final String FILTER_APPLIED = "__acegi_session_integration_filter_applied"; public static final String ACEGI_SECURITY_CONTEXT_KEY = "ACEGI_SECURITY_CONTEXT"; + + //~ Instance fields ======================================================== + private Class context = SecurityContextImpl.class; private Object contextObject; @@ -109,6 +115,8 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, */ private boolean allowSessionCreation = true; + //~ Methods ================================================================ + public void setAllowSessionCreation(boolean allowSessionCreation) { this.allowSessionCreation = allowSessionCreation; } @@ -126,10 +134,11 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, } public void afterPropertiesSet() throws Exception { - if ((this.context == null) || - (!SecurityContext.class.isAssignableFrom(this.context))) { + if ((this.context == null) + || (!SecurityContext.class.isAssignableFrom(this.context))) { throw new IllegalArgumentException( - "context must be defined and implement SecurityContext (typically use net.sf.acegisecurity.context.SecurityContextImpl)"); + "context must be defined and implement SecurityContext (typically use net.sf.acegisecurity.context.SecurityContextImpl; existing class is " + + this.context + ")"); } this.contextObject = generateNewContext(); @@ -138,13 +147,11 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, /** * Does nothing. We use IoC container lifecycle services instead. */ - public void destroy() { - } + public void destroy() {} public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { - if ((request != null) && - (request.getAttribute(FILTER_APPLIED) != null)) { + if ((request != null) && (request.getAttribute(FILTER_APPLIED) != null)) { // ensure that filter is only applied once per request chain.doFilter(request, response); } else { @@ -157,8 +164,7 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, try { httpSession = ((HttpServletRequest) request).getSession(false); - } catch (IllegalStateException ignored) { - } + } catch (IllegalStateException ignored) {} if (httpSession != null) { httpSessionExistedAtStartOfRequest = true; @@ -169,17 +175,17 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, if (contextFromSessionObject instanceof SecurityContext) { if (logger.isDebugEnabled()) { logger.debug( - "Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and set to SecurityContextHolder: '" + - contextFromSessionObject + "'"); + "Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and set to SecurityContextHolder: '" + + contextFromSessionObject + "'"); } SecurityContextHolder.setContext((SecurityContext) contextFromSessionObject); } else { if (logger.isWarnEnabled()) { logger.warn( - "ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '" + - contextFromSessionObject + - "'; are you improperly modifying the HttpSession directly (you should always use SecurityContextHolder) or using the HttpSession attribute reserved for this class? - new SecurityContext instance associated with SecurityContextHolder"); + "ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '" + + contextFromSessionObject + + "'; are you improperly modifying the HttpSession directly (you should always use SecurityContextHolder) or using the HttpSession attribute reserved for this class? - new SecurityContext instance associated with SecurityContextHolder"); } SecurityContextHolder.setContext(generateNewContext()); @@ -221,11 +227,9 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, // Store context back to HttpSession try { httpSession = ((HttpServletRequest) request).getSession(false); - } catch (IllegalStateException ignored) { - } + } catch (IllegalStateException ignored) {} - if ((httpSession == null) && - httpSessionExistedAtStartOfRequest) { + if ((httpSession == null) && httpSessionExistedAtStartOfRequest) { if (logger.isDebugEnabled()) { logger.debug( "HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session"); @@ -233,44 +237,44 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, } // Generate a HttpSession only if we need to - if ((httpSession == null) && - !httpSessionExistedAtStartOfRequest) { + if ((httpSession == null) + && !httpSessionExistedAtStartOfRequest) { if (!allowSessionCreation) { if (logger.isDebugEnabled()) { logger.debug( "The HttpSession is currently null, and the HttpSessionContextIntegrationFilter is prohibited from creating a HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request"); } } else if (!contextObject.equals( - SecurityContextHolder.getContext())) { + SecurityContextHolder.getContext())) { if (logger.isDebugEnabled()) { logger.debug( "HttpSession being created as SecurityContextHolder contents are non-default"); } try { - httpSession = ((HttpServletRequest) request).getSession(true); - } catch (IllegalStateException ignored) { - } + httpSession = ((HttpServletRequest) request) + .getSession(true); + } catch (IllegalStateException ignored) {} } else { if (logger.isDebugEnabled()) { logger.debug( - "HttpSession is null, but SecurityContextHolder has not changed from default: ' " + - SecurityContextHolder.getContext() + - "'; not creating HttpSession or storing SecurityContextHolder contents"); + "HttpSession is null, but SecurityContextHolder has not changed from default: ' " + + SecurityContextHolder.getContext() + + "'; not creating HttpSession or storing SecurityContextHolder contents"); } } } // If HttpSession exists, store current SecurityContextHolder contents // but only if SecurityContext has actually changed (see JIRA SEC-37) - if ((httpSession != null) && - (SecurityContextHolder.getContext().hashCode() != contextWhenChainProceeded)) { + if ((httpSession != null) + && (SecurityContextHolder.getContext().hashCode() != contextWhenChainProceeded)) { httpSession.setAttribute(ACEGI_SECURITY_CONTEXT_KEY, SecurityContextHolder.getContext()); if (logger.isDebugEnabled()) { - logger.debug("SecurityContext stored to HttpSession: '" + - SecurityContextHolder.getContext() + "'"); + logger.debug("SecurityContext stored to HttpSession: '" + + SecurityContextHolder.getContext() + "'"); } } @@ -302,6 +306,5 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, * * @throws ServletException ignored */ - public void init(FilterConfig filterConfig) throws ServletException { - } + public void init(FilterConfig filterConfig) throws ServletException {} }