SEC-1870: Updated HttpSessionDestroyedEvent to properly look for SecurityContexts as session attribute values instead of session attribute names

web/src/main/java/org/springframework/security/web/session/HttpSessionDestroyedEvent.java

@@ -27,6 +27,7 @@ import java.util.*;
  *
  * @author Ray Krueger
  * @author Luke Taylor
+ * @author Rob Winch
  */
 public class HttpSessionDestroyedEvent extends SessionDestroyedEvent {
     //~ Constructors ===================================================================================================
@@ -42,16 +43,17 @@ public class HttpSessionDestroyedEvent extends SessionDestroyedEvent {
     @SuppressWarnings("unchecked")
     @Override
     public List<SecurityContext> getSecurityContexts() {
-        HttpSession session = (HttpSession)getSource();
+        HttpSession session = getSession();
 
         Enumeration<String> attributes = session.getAttributeNames();
 
         ArrayList<SecurityContext> contexts = new ArrayList<SecurityContext>();
 
         while(attributes.hasMoreElements()) {
-            Object attribute = attributes.nextElement();
-            if (attribute instanceof SecurityContext) {
-                contexts.add((SecurityContext) attribute);
+            String attributeName = attributes.nextElement();
+            Object attributeValue = session.getAttribute(attributeName);
+            if (attributeValue instanceof SecurityContext) {
+                contexts.add((SecurityContext) attributeValue);
             }
         }
 

web/src/test/java/org/springframework/security/web/session/HttpSessionDestroyedEventTests.java

@@ -0,0 +1,55 @@
+package org.springframework.security.web.session;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertSame;
+import static org.mockito.Mockito.mock;
+
+import java.util.List;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.springframework.mock.web.MockHttpSession;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextImpl;
+
+/**
+ *
+ * @author Rob Winch
+ *
+ */
+public class HttpSessionDestroyedEventTests {
+    private MockHttpSession session;
+    private HttpSessionDestroyedEvent destroyedEvent;
+
+    @Before
+    public void setUp() {
+        session = new MockHttpSession();
+        session.setAttribute("notcontext", "notcontext");
+        session.setAttribute("null", null);
+        session.setAttribute("context", new SecurityContextImpl());
+        destroyedEvent = new HttpSessionDestroyedEvent(session);
+    }
+
+    // SEC-1870
+    @Test
+    public void getSecurityContexts() {
+        List<SecurityContext> securityContexts = destroyedEvent.getSecurityContexts();
+        assertEquals(1,securityContexts.size());
+        assertSame(session.getAttribute("context"), securityContexts.get(0));
+    }
+
+    @Test
+    public void getSecurityContextsMulti() {
+        session.setAttribute("another", new SecurityContextImpl());
+        List<SecurityContext> securityContexts = destroyedEvent.getSecurityContexts();
+        assertEquals(2,securityContexts.size());
+    }
+
+    @Test
+    public void getSecurityContextsDiffImpl() {
+        session.setAttribute("context", mock(SecurityContext.class));
+        List<SecurityContext> securityContexts = destroyedEvent.getSecurityContexts();
+        assertEquals(1,securityContexts.size());
+        assertSame(session.getAttribute("context"), securityContexts.get(0));
+    }
+}