SEC-1870: Updated HttpSessionDestroyedEvent to properly look for SecurityContexts as session attribute values instead of session attribute names

14 years ago · 6fe6e18939
2 changed files with 61 additions and 4 deletions
--- a/web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java
+++ b/web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java
@ -27,6 +27,7 @@ import java.util.*;
				@@ -27,6 +27,7 @@ import java.util.*;
 *
 * @author Ray Krueger
 * @author Luke Taylor
+ * @author Rob Winch
 */
 public class HttpSessionDestroyedEvent extends SessionDestroyedEvent {
    //~ Constructors ===================================================================================================
@ -42,16 +43,17 @@ public class HttpSessionDestroyedEvent extends SessionDestroyedEvent {
				@@ -42,16 +43,17 @@ public class HttpSessionDestroyedEvent extends SessionDestroyedEvent {
    @SuppressWarnings("unchecked")
    @Override
    public List<SecurityContext> getSecurityContexts() {
-        HttpSession session = (HttpSession)getSource();
+        HttpSession session = getSession();

        Enumeration<String> attributes = session.getAttributeNames();

        ArrayList<SecurityContext> contexts = new ArrayList<SecurityContext>();

        while(attributes.hasMoreElements()) {
-            Object attribute = attributes.nextElement();
-            if (attribute instanceof SecurityContext) {
-                contexts.add((SecurityContext) attribute);
+            String attributeName = attributes.nextElement();
+            Object attributeValue = session.getAttribute(attributeName);
+            if (attributeValue instanceof SecurityContext) {
+                contexts.add((SecurityContext) attributeValue);
            }
        }

--- a/web/src/test/java/org/springframework/security/web/session/HttpSessionDestroyedEventTests.java
+++ b/web/src/test/java/org/springframework/security/web/session/HttpSessionDestroyedEventTests.java
@ -0,0 +1,55 @@
				@@ -0,0 +1,55 @@
+package org.springframework.security.web.session;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertSame;
+import static org.mockito.Mockito.mock;
+
+import java.util.List;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextImpl;
+
+/**
+ *
+ * @author Rob Winch
+ *
+ */
+public class HttpSessionDestroyedEventTests {
+    private MockHttpSession session;
+    private HttpSessionDestroyedEvent destroyedEvent;
+
+    @Before
+    public void setUp() {
+        session = new MockHttpSession();
+        session.setAttribute("notcontext", "notcontext");
+        session.setAttribute("null", null);
+        session.setAttribute("context", new SecurityContextImpl());
+        destroyedEvent = new HttpSessionDestroyedEvent(session);
+    }
+
+    // SEC-1870
+    @Test
+    public void getSecurityContexts() {
+        List<SecurityContext> securityContexts = destroyedEvent.getSecurityContexts();
+        assertEquals(1,securityContexts.size());
+        assertSame(session.getAttribute("context"), securityContexts.get(0));
+    }
+
+    @Test
+    public void getSecurityContextsMulti() {
+        session.setAttribute("another", new SecurityContextImpl());
+        List<SecurityContext> securityContexts = destroyedEvent.getSecurityContexts();
+        assertEquals(2,securityContexts.size());
+    }
+
+    @Test
+    public void getSecurityContextsDiffImpl() {
+        session.setAttribute("context", mock(SecurityContext.class));
+        List<SecurityContext> securityContexts = destroyedEvent.getSecurityContexts();
+        assertEquals(1,securityContexts.size());
+        assertSame(session.getAttribute("context"), securityContexts.get(0));
+    }
+}