- * This is essentially a generalization of the functionality that was implemented for SEC-399.
- * Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used
- * with Spring Security's concurrent session control.
- *
+ * This is essentially a generalization of the functionality that was implemented for SEC-399.
+ * Additionally, it will update the configured SessionRegistry if one is in use, thus preventing problems when used
+ * with Spring Security's concurrent session control.
+ *
* @author Martin Algesten
* @author Luke Taylor
* @since 2.0
@@ -32,18 +32,18 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
//~ Static fields/initializers =====================================================================================
static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
-
+
//~ Instance fields ================================================================================================
private SessionRegistry sessionRegistry;
-
+
/**
* Indicates that the session attributes of the session to be invalidated
* should be migrated to the new session. Defaults to true.
*/
- private boolean migrateSessionAttributes = true;
+ private boolean migrateSessionAttributes = true;
- private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
+ private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
protected void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
throws IOException, ServletException {
@@ -52,13 +52,13 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
chain.doFilter(request, response);
return;
}
-
+
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
HttpSession session = request.getSession();
- SecurityContext sessionSecurityContext =
- (SecurityContext) session.getAttribute(HttpSessionContextIntegrationFilter.SPRING_SECURITY_CONTEXT_KEY);
-
+ SecurityContext sessionSecurityContext =
+ (SecurityContext) session.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
+
if (sessionSecurityContext == null && isAuthenticated()) {
// The user has been authenticated during the current request, so do the session migration
startNewSessionIfRequired(request, response);
@@ -66,32 +66,32 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
chain.doFilter(request, response);
}
-
+
private boolean isAuthenticated() {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
-
- return authentication != null && !authenticationTrustResolver.isAnonymous(authentication);
+
+ return authentication != null && !authenticationTrustResolver.isAnonymous(authentication);
}
-
+
public void setMigrateSessionAttributes(boolean migrateSessionAttributes) {
this.migrateSessionAttributes = migrateSessionAttributes;
}
public void setSessionRegistry(SessionRegistry sessionRegistry) {
- this.sessionRegistry = sessionRegistry;
- }
+ this.sessionRegistry = sessionRegistry;
+ }
- public int getOrder() {
+ public int getOrder() {
return FilterChainOrder.SESSION_FIXATION_FILTER;
}
-
+
/**
* Called when the a user wasn't authenticated at the start of the request but has been during it
*
- * A new session will be created, the session attributes copied to it (if + * A new session will be created, the session attributes copied to it (if * migrateSessionAttributes is set) and the sessionRegistry updated with the new session information. */ - protected void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response) { + protected void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response) { SessionUtils.startNewSessionIfRequired(request, migrateSessionAttributes, sessionRegistry); } }