16 سال پیش · b2c2b93545
--- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
@@ -8,6 +8,7 @@ import javax.servlet.ServletRequest;
 
				 import javax.servlet.ServletResponse;

			
 
				 import javax.servlet.http.HttpServletRequest;

			
 
				 import javax.servlet.http.HttpServletResponse;

			
 
				+import javax.servlet.http.HttpSession;

			
 
				 

			
 
				 import org.springframework.beans.factory.InitializingBean;

			
 
				 import org.springframework.context.ApplicationEventPublisher;

			
@@ -51,6 +52,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
 
				 

			
 
				     private boolean checkForPrincipalChanges;

			
 
				 

			
 
				+    private boolean invalidateSessionOnPrincipalChange = true;

			
 
				+

			
 
				     /**

			
 
				      * Check whether all required properties have been set.

			
 
				      */

			
@@ -123,6 +126,15 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
 
				                 !currentUser.getName().equals(principal)) {

			
 
				             logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");

			
 
				 

			
 
				+            if (invalidateSessionOnPrincipalChange) {

			
 
				+                HttpSession session = request.getSession(false);

			
 
				+

			
 
				+                if (session != null) {

			
 
				+                    logger.debug("Invalidating existing session");

			
 
				+                    session.invalidate();

			
 
				+                }

			
 
				+            }

			
 
				+

			
 
				             return true;

			
 
				         }

			
 
				 

			
@@ -197,6 +209,16 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
 
				         this.checkForPrincipalChanges = checkForPrincipalChanges;

			
 
				     }

			
 
				 

			
 
				+    /**

			
 
				+     * If <tt>checkForPrincipalChanges</tt> is set, and a change of principal is detected, determines whether

			
 
				+     * any existing session should be invalidated before proceeding to authenticate the new principal.

			
 
				+     *

			
 
				+     * @param invalidateSessionOnPrincipalChange <tt>false</tt> to retain the existing session. Defaults to <tt>true</tt>.

			
 
				+     */

			
 
				+    public void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange) {

			
 
				+        this.invalidateSessionOnPrincipalChange = invalidateSessionOnPrincipalChange;

			
 
				+    }

			
 
				+

			
 
				     /**

			
 
				      * Override to extract the principal information from the current request

			
 
				      */