|
|
@@ -28,6 +28,8 @@ import javax.servlet.http.HttpSession;
|
|
|
import org.springframework.beans.factory.InitializingBean;
|
|
|
import org.springframework.util.Assert;
|
|
|
import org.springframework.util.ReflectionUtils;
|
|
|
+import org.springframework.security.AuthenticationTrustResolver;
|
|
|
+import org.springframework.security.AuthenticationTrustResolverImpl;
|
|
|
import org.springframework.security.ui.SpringSecurityFilter;
|
|
|
import org.springframework.security.ui.FilterChainOrder;
|
|
|
|
|
|
@@ -150,6 +152,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
|
|
|
* method.
|
|
|
*/
|
|
|
private boolean cloneFromHttpSession = false;
|
|
|
+
|
|
|
+ private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
|
|
|
|
|
|
public boolean isCloneFromHttpSession() {
|
|
|
return cloneFromHttpSession;
|
|
|
@@ -320,7 +324,8 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
|
|
|
|
|
|
/**
|
|
|
* Stores the supplied security context in the session (if available) and if it has changed since it was
|
|
|
- * set at the start of the request.
|
|
|
+ * set at the start of the request. If the AuthenticationTrustResolver identifies the current user as
|
|
|
+ * anonymous, then the context will not be stored.
|
|
|
*
|
|
|
* @param securityContext the context object obtained from the SecurityContextHolder after the request has
|
|
|
* been processed by the filter chain. SecurityContextHolder.getContext() cannot be used to obtain
|
|
|
@@ -356,7 +361,7 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
|
|
|
+ "(because the allowSessionCreation property is false) - SecurityContext thus not "
|
|
|
+ "stored for next request");
|
|
|
}
|
|
|
- } else if (!contextObject.equals(securityContext)) {
|
|
|
+ } else if (!contextObject.equals(securityContext)) {
|
|
|
if (logger.isDebugEnabled()) {
|
|
|
logger.debug("HttpSession being created as SecurityContextHolder contents are non-default");
|
|
|
}
|
|
|
@@ -376,11 +381,18 @@ public class HttpSessionContextIntegrationFilter extends SpringSecurityFilter im
|
|
|
// If HttpSession exists, store current SecurityContextHolder contents but only if
|
|
|
// the SecurityContext has actually changed (see JIRA SEC-37)
|
|
|
if (httpSession != null && securityContext.hashCode() != contextHashBeforeChainExecution) {
|
|
|
- httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);
|
|
|
-
|
|
|
- if (logger.isDebugEnabled()) {
|
|
|
- logger.debug("SecurityContext stored to HttpSession: '" + securityContext + "'");
|
|
|
- }
|
|
|
+ // See SEC-766
|
|
|
+ if (authenticationTrustResolver.isAnonymous(securityContext.getAuthentication())) {
|
|
|
+ if (logger.isDebugEnabled()) {
|
|
|
+ logger.debug("SecurityContext contents are anonymous - context wil not be stored in HttpSession. ");
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ httpSession.setAttribute(SPRING_SECURITY_CONTEXT_KEY, securityContext);
|
|
|
+
|
|
|
+ if (logger.isDebugEnabled()) {
|
|
|
+ logger.debug("SecurityContext stored to HttpSession: '" + securityContext + "'");
|
|
|
+ }
|
|
|
+ }
|
|
|
}
|
|
|
}
|
|
|
|
Luke Taylor