SEC-1561: Add check on whether the security context attribute is set in the current session to make sure it is stored when a new session has been created during the request.

15 years ago · e88f47a96a
1 changed files with 3 additions and 1 deletions
--- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
@ -344,7 +344,9 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
				@@ -344,7 +344,9 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo

            // If HttpSession exists, store current SecurityContextHolder contents but only if
            // the SecurityContext has actually changed (see JIRA SEC-37)
-            if (httpSession != null && context.hashCode() != contextHashBeforeChainExecution) {
+            // We also check that the session contains the context, in case a new session has been created (SEC-1561)
+            if (httpSession != null && (context.hashCode() != contextHashBeforeChainExecution ||
+                    httpSession.getAttribute(SPRING_SECURITY_CONTEXT_KEY) == null)) {
                httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, context);

                if (logger.isDebugEnabled()) {