diff --git a/web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java b/web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java index 805259b72f..e28c3dd1e1 100644 --- a/web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java +++ b/web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java @@ -27,6 +27,7 @@ import java.util.*; * * @author Ray Krueger * @author Luke Taylor + * @author Rob Winch */ public class HttpSessionDestroyedEvent extends SessionDestroyedEvent { //~ Constructors =================================================================================================== @@ -42,16 +43,17 @@ public class HttpSessionDestroyedEvent extends SessionDestroyedEvent { @SuppressWarnings("unchecked") @Override public List getSecurityContexts() { - HttpSession session = (HttpSession)getSource(); + HttpSession session = getSession(); Enumeration attributes = session.getAttributeNames(); ArrayList contexts = new ArrayList(); while(attributes.hasMoreElements()) { - Object attribute = attributes.nextElement(); - if (attribute instanceof SecurityContext) { - contexts.add((SecurityContext) attribute); + String attributeName = attributes.nextElement(); + Object attributeValue = session.getAttribute(attributeName); + if (attributeValue instanceof SecurityContext) { + contexts.add((SecurityContext) attributeValue); } } diff --git a/web/src/test/java/org/springframework/security/web/session/HttpSessionDestroyedEventTests.java b/web/src/test/java/org/springframework/security/web/session/HttpSessionDestroyedEventTests.java new file mode 100644 index 0000000000..0e9d984ef0 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/session/HttpSessionDestroyedEventTests.java @@ -0,0 +1,55 @@ +package org.springframework.security.web.session; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertSame; +import static org.mockito.Mockito.mock; + +import java.util.List; + +import org.junit.Before; +import org.junit.Test; +import org.springframework.mock.web.MockHttpSession; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextImpl; + +/** + * + * @author Rob Winch + * + */ +public class HttpSessionDestroyedEventTests { + private MockHttpSession session; + private HttpSessionDestroyedEvent destroyedEvent; + + @Before + public void setUp() { + session = new MockHttpSession(); + session.setAttribute("notcontext", "notcontext"); + session.setAttribute("null", null); + session.setAttribute("context", new SecurityContextImpl()); + destroyedEvent = new HttpSessionDestroyedEvent(session); + } + + // SEC-1870 + @Test + public void getSecurityContexts() { + List securityContexts = destroyedEvent.getSecurityContexts(); + assertEquals(1,securityContexts.size()); + assertSame(session.getAttribute("context"), securityContexts.get(0)); + } + + @Test + public void getSecurityContextsMulti() { + session.setAttribute("another", new SecurityContextImpl()); + List securityContexts = destroyedEvent.getSecurityContexts(); + assertEquals(2,securityContexts.size()); + } + + @Test + public void getSecurityContextsDiffImpl() { + session.setAttribute("context", mock(SecurityContext.class)); + List securityContexts = destroyedEvent.getSecurityContexts(); + assertEquals(1,securityContexts.size()); + assertSame(session.getAttribute("context"), securityContexts.get(0)); + } +} \ No newline at end of file