Halaman utama Jelajahi Bantuan
Daftar Masuk
github
/
spring-security
cermin dari https://github.com/spring-projects/spring-security
2
0
Fork 0
Berkas Masalah 0 Wiki
Jelajahi Sumber

SEC-3070: Logout invalidate-session=false and Spring Session doesn't
work

Rob Winch 9 tahun lalu
induk
48bc0ad5f9
melakukan
69446ab80f
2 mengubah file dengan 20 tambahan dan 2 penghapusan
Tampilan Split Tampilkan Statistik Diff
  1. 1 1
      web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
  2. 19 1
      web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java

+ 1 - 1
web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
Tampilan Berkas 

@@ -337,7 +337,7 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 
 					logger.debug("SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.");
 
 				}
 
 
-				if (httpSession != null && !contextObject.equals(contextBeforeExecution)) {
 
+				if (httpSession != null && authBeforeExecution != null) {
 
 					// SEC-1587 A non-anonymous context may still be in the session
 
 					// SEC-1735 remove if the contextBeforeExecution was not anonymous
 
 					httpSession.removeAttribute(springSecurityContextKey);

+ 19 - 1
web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
Tampilan Berkas 

@@ -501,6 +501,24 @@ public class HttpSessionSecurityContextRepositoryTests {
 
 				request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
 
 	}
 
 
+	// SEC-3070
 
+	@Test
 
+	public void logoutInvalidateSessionFalseFails() throws Exception {
 
+		HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
 
+		MockHttpServletRequest request = new MockHttpServletRequest();
 
+		SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
 
+		ctxInSession.setAuthentication(testToken);
 
+		request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
 
+
 
+		HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
 
+		repo.loadContext(holder);
 
+
 
+		ctxInSession.setAuthentication(null);
 
+		repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse());
 
+
 
+		assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
 
+	}
 
+
 
 	@Test
 
 	@SuppressWarnings("deprecation")
 
 	public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl()
 
@@ -600,4 +618,4 @@ public class HttpSessionSecurityContextRepositoryTests {
 
 
 		repo.saveContext(context, request, response);
 
 	}
 
-}
 
+}