首頁 探索 說明
註冊 登入
github
/
spring-security
镜像来自 https://github.com/spring-projects/spring-security
2
0
複刻 0
檔案 問題管理 0 Wiki
瀏覽代碼

SEC-3070: Logout invalidate-session=false and Spring Session doesn't
work

Rob Winch 9 年之前
父節點
0284845289
當前提交
37aacc5e02
共有 2 個文件被更改,包括 20 次插入1 次删除
分割檢視 顯示文件統計
  1. 1 1
      web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
  2. 19 0
      web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java

+ 1 - 1
web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
查看文件 

@@ -304,7 +304,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 
                     logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
 
                 }
 
 
-                if (httpSession != null && !contextObject.equals(contextBeforeExecution)) {
 
+                if (httpSession != null && authBeforeExecution != null) {
 
                     // SEC-1587 A non-anonymous context may still be in the session
 
                     // SEC-1735 remove if the contextBeforeExecution was not anonymous
 
                     httpSession.removeAttribute(springSecurityContextKey);

+ 19 - 0
web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
查看文件 

@@ -429,6 +429,25 @@ public class HttpSessionSecurityContextRepositoryTests {
 
         assertSame(ctxInSession,request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
 
     }
 
 
+
 
+    // SEC-3070
 
+    @Test
 
+    public void logoutInvalidateSessionFalseFails() throws Exception {
 
+        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
 
+        MockHttpServletRequest request = new MockHttpServletRequest();
 
+        SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
 
+        ctxInSession.setAuthentication(testToken);
 
+        request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
 
+
 
+        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
 
+        repo.loadContext(holder);
 
+
 
+        ctxInSession.setAuthentication(null);
 
+        repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse());
 
+
 
+        assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
 
+    }
 
+
 
     @Test
 
     @SuppressWarnings("deprecation")
 
     public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl() throws Exception {