Kezdőlap Felfedezés Súgó
Regisztráció Bejelentkezés
github
/
spring-security
tükrözi: https://github.com/spring-projects/spring-security
2
0
Másolás 0
Fájlok Problémák 0 Wiki
Forráskód Böngészése

SEC-767: Added check for committed response before attempting to create a new session

Luke Taylor 17 éve
szülő
48c5a5e7ce
commit
a2f4ee1c58
1 módosított fájl, 10 hozzáadás és 3 törlés
Osztott Nézet Diff Statisztika Mutatása
  1. 10 3
      core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java

+ 10 - 3
core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java
Fájl Megtekintése 

@@ -21,6 +21,9 @@ import org.springframework.security.util.SessionUtils;
 
  * This is essentially a generalization of the functionality that was implemented for SEC-399. Additionally, it will
 
  * update the configured SessionRegistry if one is in use, thus preventing problems when used with Spring Security's
 
  * concurrent session control.
 
+ * <p>
 
+ * If the response has already been committed when the filter checks the authentication state, then it isn't possible 
+ * to create a new session and the filter will print a warning to that effect. 
  * 
  * @author Martin Algesten
 
  * @author Luke Taylor
 
@@ -65,7 +68,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
 
             chain.doFilter(request, wrapper);
 
         } finally {
 
             if (!wrapper.isNewSessionStarted()) {
 
-                startNewSessionIfRequired(request);
 
+                startNewSessionIfRequired(request, response);
 
             }
 
         }
 
     }
 
@@ -94,8 +97,12 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
 
      * If the user is now authenticated, a new session will be created, the session attributes copied to it (if 
      * <tt>migrateSessionAttributes</tt> is set and the sessionRegistry updated with the new session information.
 
      */
 
-    protected void startNewSessionIfRequired(HttpServletRequest request) {
 
+    protected void startNewSessionIfRequired(HttpServletRequest request, HttpServletResponse response) {
 
         if (isAuthenticated()) {
 
+            if (request.getSession(false) != null && response.isCommitted()) {
 
+                logger.warn("Response is already committed. Unable to create new session.");
 
+            }
 
+            
             SessionUtils.startNewSessionIfRequired(request, migrateSessionAttributes, sessionRegistry);
 
         }
 
     }
 
@@ -151,7 +158,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
 
             if (newSessionStarted) {
 
                 return;
 
             }
 
-            startNewSessionIfRequired(request);
 
+            startNewSessionIfRequired(request, this);
 
             newSessionStarted = true;
 
         }