탐색 도움말
가입하기 로그인
github
/
spring-security
의 미러 https://github.com/spring-projects/spring-security
2
0
포크 0
파일 이슈 0 위키
소스 검색

SEC-1190: Added "invalidateSessionOnPrincipalChange" property to AbstactPreAuthenticatedProcessingFilter. If set to true (the default) and a new principal is detected, the existing session will be invalidated before proceeding to authenticate the user.

Luke Taylor 16 년 전
부모
3cc47c9c4d
커밋
b2c2b93545
1개의 변경된 파일22개의 추가작업 그리고 0개의 파일을 삭제
분할 보기 변경상태 보기
  1. 22 0
      web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java

+ 22 - 0
web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
파일 보기 

@@ -8,6 +8,7 @@ import javax.servlet.ServletRequest;
 
 import javax.servlet.ServletResponse;

 import javax.servlet.http.HttpServletRequest;

 import javax.servlet.http.HttpServletResponse;

+import javax.servlet.http.HttpSession;

 

 import org.springframework.beans.factory.InitializingBean;

 import org.springframework.context.ApplicationEventPublisher;

@@ -51,6 +52,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
 
 

     private boolean checkForPrincipalChanges;

 

+    private boolean invalidateSessionOnPrincipalChange = true;

+

     /**

      * Check whether all required properties have been set.

      */

@@ -123,6 +126,15 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
 
                 !currentUser.getName().equals(principal)) {

             logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");

 

+            if (invalidateSessionOnPrincipalChange) {

+                HttpSession session = request.getSession(false);

+

+                if (session != null) {

+                    logger.debug("Invalidating existing session");

+                    session.invalidate();

+                }

+            }

+

             return true;

         }

 

@@ -197,6 +209,16 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
 
         this.checkForPrincipalChanges = checkForPrincipalChanges;

     }

 

+    /**

+     * If <tt>checkForPrincipalChanges</tt> is set, and a change of principal is detected, determines whether

+     * any existing session should be invalidated before proceeding to authenticate the new principal.

+     *

+     * @param invalidateSessionOnPrincipalChange <tt>false</tt> to retain the existing session. Defaults to <tt>true</tt>.

+     */

+    public void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange) {

+        this.invalidateSessionOnPrincipalChange = invalidateSessionOnPrincipalChange;

+    }

+

     /**

      * Override to extract the principal information from the current request

      */