|
|
@@ -12,6 +12,7 @@
|
|
|
* See the License for the specific language governing permissions and
|
|
|
* limitations under the License.
|
|
|
*/
|
|
|
+
|
|
|
package net.sf.acegisecurity.context;
|
|
|
|
|
|
import org.apache.commons.logging.Log;
|
|
|
@@ -36,7 +37,7 @@ import javax.servlet.http.HttpSession;
|
|
|
* Populates the <code>SecurityContextHolder</code> with information obtained
|
|
|
* from the <code>HttpSession</code>.
|
|
|
* </p>
|
|
|
- *
|
|
|
+ *
|
|
|
* <p>
|
|
|
* The <code>HttpSession</code> will be queried to retrieve the
|
|
|
* <code>SecurityContext</code> that should be stored against the
|
|
|
@@ -45,7 +46,7 @@ import javax.servlet.http.HttpSession;
|
|
|
* <code>SecurityContextHolder</code> will be persisted back to the
|
|
|
* <code>HttpSession</code> by this filter.
|
|
|
* </p>
|
|
|
- *
|
|
|
+ *
|
|
|
* <p>
|
|
|
* If a valid <code>SecurityContext</code> cannot be obtained from the
|
|
|
* <code>HttpSession</code> for whatever reason, a fresh
|
|
|
@@ -54,7 +55,7 @@ import javax.servlet.http.HttpSession;
|
|
|
* method (which defaults to {@link
|
|
|
* net.sf.acegisecurity.context.SecurityContextImpl}.
|
|
|
* </p>
|
|
|
- *
|
|
|
+ *
|
|
|
* <p>
|
|
|
* No <code>HttpSession</code> will be created by this filter if one does not
|
|
|
* already exist. If at the end of the web request the
|
|
|
@@ -66,12 +67,12 @@ import javax.servlet.http.HttpSession;
|
|
|
* <code>HttpSession</code> creation, but automates the storage of changes
|
|
|
* made to the <code>ContextHolder</code>.
|
|
|
* </p>
|
|
|
- *
|
|
|
+ *
|
|
|
* <P>
|
|
|
* This filter will only execute once per request, to resolve servlet container
|
|
|
* (specifically Weblogic) incompatibilities.
|
|
|
* </p>
|
|
|
- *
|
|
|
+ *
|
|
|
* <p>
|
|
|
* If for whatever reason no <code>HttpSession</code> should <b>ever</b> be
|
|
|
* created (eg this filter is only being used with Basic authentication or
|
|
|
@@ -82,7 +83,7 @@ import javax.servlet.http.HttpSession;
|
|
|
* designed to have no persistence of the <code>Context</code> between web
|
|
|
* requests.
|
|
|
* </p>
|
|
|
- *
|
|
|
+ *
|
|
|
* <p>
|
|
|
* This filter MUST be executed BEFORE any authentication procesing mechanisms.
|
|
|
* Authentication processing mechanisms (eg BASIC, CAS processing filters etc)
|
|
|
@@ -96,9 +97,14 @@ import javax.servlet.http.HttpSession;
|
|
|
*/
|
|
|
public class HttpSessionContextIntegrationFilter implements InitializingBean,
|
|
|
Filter {
|
|
|
+ //~ Static fields/initializers =============================================
|
|
|
+
|
|
|
protected static final Log logger = LogFactory.getLog(HttpSessionContextIntegrationFilter.class);
|
|
|
private static final String FILTER_APPLIED = "__acegi_session_integration_filter_applied";
|
|
|
public static final String ACEGI_SECURITY_CONTEXT_KEY = "ACEGI_SECURITY_CONTEXT";
|
|
|
+
|
|
|
+ //~ Instance fields ========================================================
|
|
|
+
|
|
|
private Class context = SecurityContextImpl.class;
|
|
|
private Object contextObject;
|
|
|
|
|
|
@@ -109,6 +115,8 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
|
|
|
*/
|
|
|
private boolean allowSessionCreation = true;
|
|
|
|
|
|
+ //~ Methods ================================================================
|
|
|
+
|
|
|
public void setAllowSessionCreation(boolean allowSessionCreation) {
|
|
|
this.allowSessionCreation = allowSessionCreation;
|
|
|
}
|
|
|
@@ -126,10 +134,11 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
|
|
|
}
|
|
|
|
|
|
public void afterPropertiesSet() throws Exception {
|
|
|
- if ((this.context == null) ||
|
|
|
- (!SecurityContext.class.isAssignableFrom(this.context))) {
|
|
|
+ if ((this.context == null)
|
|
|
+ || (!SecurityContext.class.isAssignableFrom(this.context))) {
|
|
|
throw new IllegalArgumentException(
|
|
|
- "context must be defined and implement SecurityContext (typically use net.sf.acegisecurity.context.SecurityContextImpl)");
|
|
|
+ "context must be defined and implement SecurityContext (typically use net.sf.acegisecurity.context.SecurityContextImpl; existing class is "
|
|
|
+ + this.context + ")");
|
|
|
}
|
|
|
|
|
|
this.contextObject = generateNewContext();
|
|
|
@@ -138,13 +147,11 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
|
|
|
/**
|
|
|
* Does nothing. We use IoC container lifecycle services instead.
|
|
|
*/
|
|
|
- public void destroy() {
|
|
|
- }
|
|
|
+ public void destroy() {}
|
|
|
|
|
|
public void doFilter(ServletRequest request, ServletResponse response,
|
|
|
FilterChain chain) throws IOException, ServletException {
|
|
|
- if ((request != null) &&
|
|
|
- (request.getAttribute(FILTER_APPLIED) != null)) {
|
|
|
+ if ((request != null) && (request.getAttribute(FILTER_APPLIED) != null)) {
|
|
|
// ensure that filter is only applied once per request
|
|
|
chain.doFilter(request, response);
|
|
|
} else {
|
|
|
@@ -157,8 +164,7 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
|
|
|
|
|
|
try {
|
|
|
httpSession = ((HttpServletRequest) request).getSession(false);
|
|
|
- } catch (IllegalStateException ignored) {
|
|
|
- }
|
|
|
+ } catch (IllegalStateException ignored) {}
|
|
|
|
|
|
if (httpSession != null) {
|
|
|
httpSessionExistedAtStartOfRequest = true;
|
|
|
@@ -169,17 +175,17 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
|
|
|
if (contextFromSessionObject instanceof SecurityContext) {
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
logger.debug(
|
|
|
- "Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and set to SecurityContextHolder: '" +
|
|
|
- contextFromSessionObject + "'");
|
|
|
+ "Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and set to SecurityContextHolder: '"
|
|
|
+ + contextFromSessionObject + "'");
|
|
|
}
|
|
|
|
|
|
SecurityContextHolder.setContext((SecurityContext) contextFromSessionObject);
|
|
|
} else {
|
|
|
if (logger.isWarnEnabled()) {
|
|
|
logger.warn(
|
|
|
- "ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '" +
|
|
|
- contextFromSessionObject +
|
|
|
- "'; are you improperly modifying the HttpSession directly (you should always use SecurityContextHolder) or using the HttpSession attribute reserved for this class? - new SecurityContext instance associated with SecurityContextHolder");
|
|
|
+ "ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
|
|
|
+ + contextFromSessionObject
|
|
|
+ + "'; are you improperly modifying the HttpSession directly (you should always use SecurityContextHolder) or using the HttpSession attribute reserved for this class? - new SecurityContext instance associated with SecurityContextHolder");
|
|
|
}
|
|
|
|
|
|
SecurityContextHolder.setContext(generateNewContext());
|
|
|
@@ -221,11 +227,9 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
|
|
|
// Store context back to HttpSession
|
|
|
try {
|
|
|
httpSession = ((HttpServletRequest) request).getSession(false);
|
|
|
- } catch (IllegalStateException ignored) {
|
|
|
- }
|
|
|
+ } catch (IllegalStateException ignored) {}
|
|
|
|
|
|
- if ((httpSession == null) &&
|
|
|
- httpSessionExistedAtStartOfRequest) {
|
|
|
+ if ((httpSession == null) && httpSessionExistedAtStartOfRequest) {
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
logger.debug(
|
|
|
"HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session");
|
|
|
@@ -233,44 +237,44 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
|
|
|
}
|
|
|
|
|
|
// Generate a HttpSession only if we need to
|
|
|
- if ((httpSession == null) &&
|
|
|
- !httpSessionExistedAtStartOfRequest) {
|
|
|
+ if ((httpSession == null)
|
|
|
+ && !httpSessionExistedAtStartOfRequest) {
|
|
|
if (!allowSessionCreation) {
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
logger.debug(
|
|
|
"The HttpSession is currently null, and the HttpSessionContextIntegrationFilter is prohibited from creating a HttpSession (because the allowSessionCreation property is false) - SecurityContext thus not stored for next request");
|
|
|
}
|
|
|
} else if (!contextObject.equals(
|
|
|
- SecurityContextHolder.getContext())) {
|
|
|
+ SecurityContextHolder.getContext())) {
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
logger.debug(
|
|
|
"HttpSession being created as SecurityContextHolder contents are non-default");
|
|
|
}
|
|
|
|
|
|
try {
|
|
|
- httpSession = ((HttpServletRequest) request).getSession(true);
|
|
|
- } catch (IllegalStateException ignored) {
|
|
|
- }
|
|
|
+ httpSession = ((HttpServletRequest) request)
|
|
|
+ .getSession(true);
|
|
|
+ } catch (IllegalStateException ignored) {}
|
|
|
} else {
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
logger.debug(
|
|
|
- "HttpSession is null, but SecurityContextHolder has not changed from default: ' " +
|
|
|
- SecurityContextHolder.getContext() +
|
|
|
- "'; not creating HttpSession or storing SecurityContextHolder contents");
|
|
|
+ "HttpSession is null, but SecurityContextHolder has not changed from default: ' "
|
|
|
+ + SecurityContextHolder.getContext()
|
|
|
+ + "'; not creating HttpSession or storing SecurityContextHolder contents");
|
|
|
}
|
|
|
}
|
|
|
}
|
|
|
|
|
|
// If HttpSession exists, store current SecurityContextHolder contents
|
|
|
// but only if SecurityContext has actually changed (see JIRA SEC-37)
|
|
|
- if ((httpSession != null) &&
|
|
|
- (SecurityContextHolder.getContext().hashCode() != contextWhenChainProceeded)) {
|
|
|
+ if ((httpSession != null)
|
|
|
+ && (SecurityContextHolder.getContext().hashCode() != contextWhenChainProceeded)) {
|
|
|
httpSession.setAttribute(ACEGI_SECURITY_CONTEXT_KEY,
|
|
|
SecurityContextHolder.getContext());
|
|
|
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
- logger.debug("SecurityContext stored to HttpSession: '" +
|
|
|
- SecurityContextHolder.getContext() + "'");
|
|
|
+ logger.debug("SecurityContext stored to HttpSession: '"
|
|
|
+ + SecurityContextHolder.getContext() + "'");
|
|
|
}
|
|
|
}
|
|
|
|
|
|
@@ -302,6 +306,5 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
|
|
|
*
|
|
|
* @throws ServletException ignored
|
|
|
*/
|
|
|
- public void init(FilterConfig filterConfig) throws ServletException {
|
|
|
- }
|
|
|
+ public void init(FilterConfig filterConfig) throws ServletException {}
|
|
|
}
|
Ben Alex