SEC-3070: Logout invalidate-session=false and Spring Session doesn't

work
10 years ago · 69446ab80f
2 changed files with 20 additions and 2 deletions
--- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
@ -337,7 +337,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 					logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
 				}
-				if (httpSession != null && !contextObject.equals(contextBeforeExecution)) {
+				if (httpSession != null && authBeforeExecution != null) {
 					// SEC-1587 A non-anonymous context may still be in the session
 					// SEC-1735 remove if the contextBeforeExecution was not anonymous
 					httpSession.removeAttribute(springSecurityContextKey);
--- a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
@ -501,6 +501,24 @@ public class HttpSessionSecurityContextRepositoryTests {
 				request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
 	}
 	// SEC-3070
 	@Test
 	public void logoutInvalidateSessionFalseFails() throws Exception {
 		HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
 		ctxInSession.setAuthentication(testToken);
 		request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
 		HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
 		repo.loadContext(holder);
 		ctxInSession.setAuthentication(null);
 		repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse());
 		assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
 	}
 	@Test
 	@SuppressWarnings("deprecation")
 	public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl()
@ -600,4 +618,4 @@ public class HttpSessionSecurityContextRepositoryTests {
 		repo.saveContext(context, request, response);
 	}
-}
+}