GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-1968: AbstractPreAuthenticatedProcessingFilter clears SecurityContext on null principal change with invalidateSessionOnPrincipalChange = true

pull/11/merge
Rob Winch 14 years ago
parent
e1068b84ea
commit
b6ec700640
2 changed files with 37 additions and 2 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
  2. 37
      web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java

2
web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
Unescape View File

@ -143,6 +143,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi @@ -143,6 +143,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
if (invalidateSessionOnPrincipalChange) {
SecurityContextHolder.clearContext();
HttpSession session = request.getSession(false);
if (session != null) {

37
web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java
Unescape View File

@ -7,6 +7,7 @@ import static org.mockito.Mockito.*; @@ -7,6 +7,7 @@ import static org.mockito.Mockito.*;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.mockito.invocation.InvocationOnMock;
@ -16,6 +17,7 @@ import org.springframework.mock.web.MockHttpServletRequest; @@ -16,6 +17,7 @@ import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
@ -33,7 +35,12 @@ public class AbstractPreAuthenticatedProcessingFilterTests { @@ -33,7 +35,12 @@ public class AbstractPreAuthenticatedProcessingFilterTests {
return "doesntmatter";
}
};
SecurityContextHolder.getContext().setAuthentication(null);
SecurityContextHolder.clearContext();
}
@After
public void tearDown() {
SecurityContextHolder.clearContext();
}
@Test
@ -80,6 +87,31 @@ public class AbstractPreAuthenticatedProcessingFilterTests { @@ -80,6 +87,31 @@ public class AbstractPreAuthenticatedProcessingFilterTests {
testDoFilter(false);
}
// SEC-1968
@Test
public void nullPreAuthenticationClearsPreviousUser() throws Exception {
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("oldUser", "pass","ROLE_USER"));
ConcretePreAuthenticatedProcessingFilter filter = new ConcretePreAuthenticatedProcessingFilter();
filter.principal = null;
filter.setCheckForPrincipalChanges(true);
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
assertEquals(null, SecurityContextHolder.getContext().getAuthentication());
}
@Test
public void nullPreAuthenticationPerservesPreviousUserCheckPrincipalChangesFalse() throws Exception {
TestingAuthenticationToken authentication = new TestingAuthenticationToken("oldUser", "pass","ROLE_USER");
SecurityContextHolder.getContext().setAuthentication(authentication);
ConcretePreAuthenticatedProcessingFilter filter = new ConcretePreAuthenticatedProcessingFilter();
filter.principal = null;
filter.doFilter(new MockHttpServletRequest(), new MockHttpServletResponse(), new MockFilterChain());
assertEquals(authentication, SecurityContextHolder.getContext().getAuthentication());
}
private void testDoFilter(boolean grantAccess) throws Exception {
MockHttpServletRequest req = new MockHttpServletRequest();
MockHttpServletResponse res = new MockHttpServletResponse();
@ -107,8 +139,9 @@ public class AbstractPreAuthenticatedProcessingFilterTests { @@ -107,8 +139,9 @@ public class AbstractPreAuthenticatedProcessingFilterTests {
}
private static class ConcretePreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter {
private String principal = "testPrincipal";
protected Object getPreAuthenticatedPrincipal(HttpServletRequest httpRequest) {
return "testPrincipal";
return principal;
}
protected Object getPreAuthenticatedCredentials(HttpServletRequest httpRequest) {
return "testCredentials";

Write Preview
Loading…
Cancel
Save