|
|
@@ -246,63 +246,73 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, Fi
|
|
|
|
|
|
/**
|
|
|
* Extracts the security context from the session (if available) and sets it on SecurityContextHolder.
|
|
|
+ * <p/>
|
|
|
+ * If the session is null, the context object is null or the context object stored in the session
|
|
|
+ * is not an instance of SecurityContext it will generate a new empty context and store this.
|
|
|
*
|
|
|
* @param httpSession the session obtained from the request.
|
|
|
*/
|
|
|
private void populateSecurityContextFromSession(HttpSession httpSession) throws ServletException {
|
|
|
- if (httpSession != null) {
|
|
|
-
|
|
|
- Object contextFromSessionObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
|
|
|
-
|
|
|
- if (contextFromSessionObject != null) {
|
|
|
- // Clone if required (see SEC-356)
|
|
|
- if (cloneFromHttpSession) {
|
|
|
- Assert.isInstanceOf(Cloneable.class, contextFromSessionObject,
|
|
|
- "Context must implement Clonable and provide a Object.clone() method");
|
|
|
- try {
|
|
|
- Method m = contextFromSessionObject.getClass().getMethod("clone", new Class[]{});
|
|
|
- if (!m.isAccessible()) {
|
|
|
- m.setAccessible(true);
|
|
|
- }
|
|
|
- contextFromSessionObject = m.invoke(contextFromSessionObject, new Object[]{});
|
|
|
- }
|
|
|
- catch (Exception ex) {
|
|
|
- ReflectionUtils.handleReflectionException(ex);
|
|
|
- }
|
|
|
- }
|
|
|
+ if (httpSession == null) {
|
|
|
+ if (logger.isDebugEnabled()) {
|
|
|
+ logger.debug("No HttpSession currently exists - new SecurityContext instance "
|
|
|
+ + "associated with SecurityContextHolder");
|
|
|
+ }
|
|
|
|
|
|
- if (contextFromSessionObject instanceof SecurityContext) {
|
|
|
- if (logger.isDebugEnabled()) {
|
|
|
- logger.debug("Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and "
|
|
|
- + "set to SecurityContextHolder: '" + contextFromSessionObject + "'");
|
|
|
- }
|
|
|
-
|
|
|
- SecurityContextHolder.setContext((SecurityContext) contextFromSessionObject);
|
|
|
- } else {
|
|
|
- if (logger.isWarnEnabled()) {
|
|
|
- logger
|
|
|
- .warn("ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
|
|
|
- + contextFromSessionObject
|
|
|
- + "'; are you improperly modifying the HttpSession directly "
|
|
|
- + "(you should always use SecurityContextHolder) or using the HttpSession attribute "
|
|
|
- + "reserved for this class? - new SecurityContext instance associated with "
|
|
|
- + "SecurityContextHolder");
|
|
|
- }
|
|
|
-
|
|
|
- SecurityContextHolder.setContext(generateNewContext());
|
|
|
- }
|
|
|
- } else {
|
|
|
- if (logger.isDebugEnabled()) {
|
|
|
- logger.debug("HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new "
|
|
|
- + "SecurityContext instance associated with SecurityContextHolder");
|
|
|
+ SecurityContextHolder.setContext(generateNewContext());
|
|
|
+
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ // Session exists, so try to obtain a context from it.
|
|
|
+
|
|
|
+ Object contextFromSessionObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
|
|
|
+
|
|
|
+ if (contextFromSessionObject == null) {
|
|
|
+ if (logger.isDebugEnabled()) {
|
|
|
+ logger.debug("HttpSession returned null object for ACEGI_SECURITY_CONTEXT - new "
|
|
|
+ + "SecurityContext instance associated with SecurityContextHolder");
|
|
|
+ }
|
|
|
+
|
|
|
+ SecurityContextHolder.setContext(generateNewContext());
|
|
|
+
|
|
|
+ return;
|
|
|
+ }
|
|
|
+
|
|
|
+ // We now have the security context object from the session.
|
|
|
+
|
|
|
+ // Clone if required (see SEC-356)
|
|
|
+ if (cloneFromHttpSession) {
|
|
|
+ Assert.isInstanceOf(Cloneable.class, contextFromSessionObject,
|
|
|
+ "Context must implement Clonable and provide a Object.clone() method");
|
|
|
+ try {
|
|
|
+ Method m = contextFromSessionObject.getClass().getMethod("clone", new Class[]{});
|
|
|
+ if (!m.isAccessible()) {
|
|
|
+ m.setAccessible(true);
|
|
|
}
|
|
|
+ contextFromSessionObject = m.invoke(contextFromSessionObject, new Object[]{});
|
|
|
+ }
|
|
|
+ catch (Exception ex) {
|
|
|
+ ReflectionUtils.handleReflectionException(ex);
|
|
|
+ }
|
|
|
+ }
|
|
|
|
|
|
- SecurityContextHolder.setContext(generateNewContext());
|
|
|
+ if (contextFromSessionObject instanceof SecurityContext) {
|
|
|
+ if (logger.isDebugEnabled()) {
|
|
|
+ logger.debug("Obtained from ACEGI_SECURITY_CONTEXT a valid SecurityContext and "
|
|
|
+ + "set to SecurityContextHolder: '" + contextFromSessionObject + "'");
|
|
|
}
|
|
|
+
|
|
|
+ SecurityContextHolder.setContext((SecurityContext) contextFromSessionObject);
|
|
|
} else {
|
|
|
- if (logger.isDebugEnabled()) {
|
|
|
- logger.debug("No HttpSession currently exists - new SecurityContext instance "
|
|
|
- + "associated with SecurityContextHolder");
|
|
|
+ if (logger.isWarnEnabled()) {
|
|
|
+ logger
|
|
|
+ .warn("ACEGI_SECURITY_CONTEXT did not contain a SecurityContext but contained: '"
|
|
|
+ + contextFromSessionObject
|
|
|
+ + "'; are you improperly modifying the HttpSession directly "
|
|
|
+ + "(you should always use SecurityContextHolder) or using the HttpSession attribute "
|
|
|
+ + "reserved for this class? - new SecurityContext instance associated with "
|
|
|
+ + "SecurityContextHolder");
|
|
|
}
|
|
|
|
|
|
SecurityContextHolder.setContext(generateNewContext());
|
Luke Taylor