Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection.

Ben Alex 20 years ago
parent
8592e3bcbf
commit
a056946c49
2 changed files with 24 additions and 6 deletions
Unified View Show Diff Stats
  1. 19 4
      core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
  2. 5 2
      doc/xdocs/changes.xml

+ 19 - 4
core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java
View File 

@@ -76,13 +76,13 @@ import javax.servlet.http.HttpSession;
 
  * similar clients that will never present the same <code>jsessionid</code>
 
  * similar clients that will never present the same <code>jsessionid</code>
 
  * etc), the  {@link #setAllowSessionCreation(boolean)} should be set to
 
  * etc), the  {@link #setAllowSessionCreation(boolean)} should be set to
 
  * <code>false</code>. Only do this if you really need to conserve server
 
  * <code>false</code>. Only do this if you really need to conserve server
 
- * memory and ensure all classes using the <code>ContextHolder</code>
 
- * are designed to have no persistence of the <code>Context</code> between web
 
+ * memory and ensure all classes using the <code>ContextHolder</code> are
 
+ * designed to have no persistence of the <code>Context</code> between web
 
  * requests.
 
  * requests.
 
  * </p>
 
  * </p>
 
  * 
  * 
  * <p>
 
  * <p>
 
- * This filter MUST be executed BEFORE any authentication processing mechanisms.
 
+ * This filter MUST be executed BEFORE any authentication procesing mechanisms.
 
  * Authentication processing mechanisms (eg BASIC, CAS processing filters etc)
 
  * Authentication processing mechanisms (eg BASIC, CAS processing filters etc)
 
  * expect the <code>ContextHolder</code> to contain a valid
 
  * expect the <code>ContextHolder</code> to contain a valid
 
  * <code>SecureContext</code> by the time they execute.
 
  * <code>SecureContext</code> by the time they execute.
 
@@ -166,12 +166,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
 
             }
 
             }
 
 
 
             HttpSession httpSession = null;
 
             HttpSession httpSession = null;
 
+            boolean httpSessionExistedAtStartOfRequest = false;
 
 
 
             try {
 
             try {
 
                 httpSession = ((HttpServletRequest) request).getSession(false);
 
                 httpSession = ((HttpServletRequest) request).getSession(false);
 
             } catch (IllegalStateException ignored) {}
 
             } catch (IllegalStateException ignored) {}
 
 
 
             if (httpSession != null) {
 
             if (httpSession != null) {
 
+                httpSessionExistedAtStartOfRequest = true;
 
+
 
                 Object contextObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
 
                 Object contextObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
 
 
 
                 if (contextObject != null) {
 
                 if (contextObject != null) {
 
@@ -213,6 +216,11 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
 
                 }
 
                 }
 
             }
 
             }
 
 
 
+            // Make the HttpSession null, as we want to ensure we don't keep
 
+            // a reference to the HttpSession laying around in case the
 
+            // chain.doFilter() invalidates it.
 
+            httpSession = null;
 
+
 
             // Proceed with chain
 
             // Proceed with chain
 
             chain.doFilter(request, response);
 
             chain.doFilter(request, response);
 
 
 
@@ -221,8 +229,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
 
                 httpSession = ((HttpServletRequest) request).getSession(false);
 
                 httpSession = ((HttpServletRequest) request).getSession(false);
 
             } catch (IllegalStateException ignored) {}
 
             } catch (IllegalStateException ignored) {}
 
 
 
+            if ((httpSession == null) && httpSessionExistedAtStartOfRequest) {
 
+                if (logger.isDebugEnabled()) {
 
+                    logger.debug(
 
+                        "HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session");
 
+                }
 
+            }
 
+
 
             // Generate a HttpSession only if we need to
 
             // Generate a HttpSession only if we need to
 
-            if (httpSession == null) {
 
+            if ((httpSession == null) && !httpSessionExistedAtStartOfRequest) {
 
                 if (!allowSessionCreation) {
 
                 if (!allowSessionCreation) {
 
                     if (logger.isDebugEnabled()) {
 
                     if (logger.isDebugEnabled()) {
 
                         logger.debug(
 
                         logger.debug(

+ 5 - 2
doc/xdocs/changes.xml
View File 

@@ -26,11 +26,14 @@
 
   </properties>
 
   </properties>
 
   <body>
 
   <body>
 
     <release version="0.8.1" date="In CVS">
 
     <release version="0.8.1" date="In CVS">
 
+      <action dev="benalex" type="add">X509 (certificate-based) authentication support</action>
 
+      <action dev="benalex" type="update">ContextHolderAwareRequestWrapper methods returns null if user is anonymous</action>
 
+      <action dev="benalex" type="update">AbstractBasicAclEntry improved compatibility with Hibernate</action>
 
       <action dev="benalex" type="fix">SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint</action>
 
       <action dev="benalex" type="fix">SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint</action>
 
       <action dev="benalex" type="fix">FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans</action>
 
       <action dev="benalex" type="fix">FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans</action>
 
       <action dev="benalex" type="fix">Corrected Authz parsing of whitespace in GrantedAuthoritys</action>
 
       <action dev="benalex" type="fix">Corrected Authz parsing of whitespace in GrantedAuthoritys</action>
 
-      <action dev="benalex" type="update">ContextHolderAwareRequestWrapper methods returns null if user is anonymous</action>
 
-      <action dev="benalex" type="update">AbstractBasicAclEntry improved compatibility with Hibernate</action>
 
+      <action dev="benalex" type="fix">TokenBasedRememberMeServices now respects expired users, expired credentials and disabled users</action>
 
+      <action dev="benalex" type="fix">HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection</action>
 
     </release>
 
     </release>
 
     <release version="0.8.0" date="2005-03-03">
 
     <release version="0.8.0" date="2005-03-03">
 
       <action dev="benalex" type="add">Added Digest Authentication support (RFC 2617 and RFC 2069)</action>
 
       <action dev="benalex" type="add">Added Digest Authentication support (RFC 2617 and RFC 2069)</action>