GitHub-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

SEC-1039: Corrected reference to security context key to match new value.

3.0.x
Luke Taylor 17 years ago
parent
a650b73550
commit
fd7fc0c8a5
1 changed files with 23 additions and 23 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 46
      core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java

46
core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java
Unescape View File

@ -12,7 +12,7 @@ import org.springframework.security.Authentication; @@ -12,7 +12,7 @@ import org.springframework.security.Authentication;
import org.springframework.security.AuthenticationTrustResolver;
import org.springframework.security.AuthenticationTrustResolverImpl;
import org.springframework.security.concurrent.SessionRegistry;
import org.springframework.security.context.HttpSessionContextIntegrationFilter;
import org.springframework.security.context.HttpSessionSecurityContextRepository;
import org.springframework.security.context.SecurityContext;
import org.springframework.security.context.SecurityContextHolder;
import org.springframework.security.util.SessionUtils;
@ -20,10 +20,10 @@ import org.springframework.security.util.SessionUtils; @@ -20,10 +20,10 @@ import org.springframework.security.util.SessionUtils;
/**
* Detects that a user has been authenticated since the start of the request and starts a new session.
* <p>
* This is essentially a generalization of the functionality that was implemented for SEC-399.
* Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used
* with Spring Security's concurrent session control.
*
* This is essentially a generalization of the functionality that was implemented for SEC-399.
* Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used
* with Spring Security's concurrent session control.
*
* @author Martin Algesten
* @author Luke Taylor
* @since 2.0
@ -32,18 +32,18 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter { @@ -32,18 +32,18 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
//~ Static fields/initializers =====================================================================================
static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
//~ Instance fields ================================================================================================
private SessionRegistry sessionRegistry;
/**
* Indicates that the session attributes of the session to be invalidated
* should be migrated to the new session. Defaults to <code>true</code>.
*/
private boolean migrateSessionAttributes = true;
private boolean migrateSessionAttributes = true;
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
@ -52,13 +52,13 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter { @@ -52,13 +52,13 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
chain.doFilter(request, response);
return;
}
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
HttpSession session = request.getSession();
SecurityContext sessionSecurityContext =
(SecurityContext) session.getAttribute(HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY);
SecurityContext sessionSecurityContext =
(SecurityContext) session.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
if (sessionSecurityContext == null && isAuthenticated()) {
// The user has been authenticated during the current request, so do the session migration
startNewSessionIfRequired(request, response);
@ -66,32 +66,32 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter { @@ -66,32 +66,32 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
chain.doFilter(request, response);
}
private boolean isAuthenticated() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
return authentication != null && !authenticationTrustResolver.isAnonymous(authentication);
return authentication != null && !authenticationTrustResolver.isAnonymous(authentication);
}
public void setMigrateSessionAttributes(boolean migrateSessionAttributes) {
this.migrateSessionAttributes = migrateSessionAttributes;
}
public void setSessionRegistry(SessionRegistry sessionRegistry) {
this.sessionRegistry = sessionRegistry;
}
this.sessionRegistry = sessionRegistry;
}
public int getOrder() {
public int getOrder() {
return FilterChainOrder.SESSION_FIXATION_FILTER;
}
/**
* Called when the a user wasn't authenticated at the start of the request but has been during it
* <p>
* A new session will be created, the session attributes copied to it (if
* A new session will be created, the session attributes copied to it (if
* <tt>migrateSessionAttributes</tt> is set) and the sessionRegistry updated with the new session information.
*/
protected void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response) {
protected void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response) {
SessionUtils.startNewSessionIfRequired(request, migrateSessionAttributes, sessionRegistry);
}
}

Write Preview
Loading…
Cancel
Save