صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
github
/
spring-security
mirrorاز https://github.com/spring-projects/spring-security
2
0
انشعاب 0
پرونده‌ها مشکلات 0 ویکی
فهرست منبع

SEC-1735: Do not remove SecurityContext from HttpSession when anonymous Authentication is saved if original SecurityContext was anonymous

Rob Winch 14 سال پیش
والد
1f835fec43
کامیت
5d94cd5e13
2فایلهای تغییر یافته به همراه17 افزوده شده و 1 حذف شده
مشاهده تقسیم شده نمایش آمار تفاوت ها
  1. 2 1
      web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
  2. 15 0
      web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java

+ 2 - 1
web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
مشاهده فایل 

@@ -269,8 +269,9 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 
                     logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
 
                 }
 
 
-                if (httpSession != null) {
 
+                if (httpSession != null && !contextObject.equals(contextBeforeExecution)) {
 
                     // SEC-1587 A non-anonymous context may still be in the session
 
+                    // SEC-1735 remove if the contextBeforeExecution was not anonymous
 
                     httpSession.removeAttribute(springSecurityContextKey);
 
                 }
 
                 return;

+ 15 - 0
web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
مشاهده فایل 

@@ -203,6 +203,21 @@ public class HttpSessionSecurityContextRepositoryTests {
 
         assertNull(request.getSession().getAttribute("imTheContext"));
 
     }
 
 
+    // SEC-1735
 
+    @Test
 
+    public void contextIsNotRemovedFromSessionIfContextBeforeExecutionDefault() throws Exception {
 
+        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
 
+        MockHttpServletRequest request = new MockHttpServletRequest();
 
+        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
 
+        repo.loadContext(holder);
 
+        SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
 
+        ctxInSession.setAuthentication(testToken);
 
+        request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
 
+        SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken("x","x", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")));
 
+        repo.saveContext(SecurityContextHolder.getContext(), holder.getRequest(), holder.getResponse());
 
+        assertSame(ctxInSession,request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
 
+    }
 
+
 
     @Test
 
     @SuppressWarnings("deprecation")
 
     public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl() throws Exception {