From a056946c490168b159d033de1252126442040b94 Mon Sep 17 00:00:00 2001
From: Ben Alex jsessionid
* etc), the {@link #setAllowSessionCreation(boolean)} should be set to
* false. Only do this if you really need to conserve server
- * memory and ensure all classes using the ContextHolder
- * are designed to have no persistence of the Context between web
+ * memory and ensure all classes using the ContextHolder are
+ * designed to have no persistence of the Context between web
* requests.
*
- * This filter MUST be executed BEFORE any authentication processing mechanisms.
+ * This filter MUST be executed BEFORE any authentication procesing mechanisms.
* Authentication processing mechanisms (eg BASIC, CAS processing filters etc)
* expect the ContextHolder to contain a valid
* SecureContext by the time they execute.
@@ -166,12 +166,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
}
HttpSession httpSession = null;
+ boolean httpSessionExistedAtStartOfRequest = false;
try {
httpSession = ((HttpServletRequest) request).getSession(false);
} catch (IllegalStateException ignored) {}
if (httpSession != null) {
+ httpSessionExistedAtStartOfRequest = true;
+
Object contextObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY);
if (contextObject != null) {
@@ -213,6 +216,11 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
}
}
+ // Make the HttpSession null, as we want to ensure we don't keep
+ // a reference to the HttpSession laying around in case the
+ // chain.doFilter() invalidates it.
+ httpSession = null;
+
// Proceed with chain
chain.doFilter(request, response);
@@ -221,8 +229,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean,
httpSession = ((HttpServletRequest) request).getSession(false);
} catch (IllegalStateException ignored) {}
+ if ((httpSession == null) && httpSessionExistedAtStartOfRequest) {
+ if (logger.isDebugEnabled()) {
+ logger.debug(
+ "HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session");
+ }
+ }
+
// Generate a HttpSession only if we need to
- if (httpSession == null) {
+ if ((httpSession == null) && !httpSessionExistedAtStartOfRequest) {
if (!allowSessionCreation) {
if (logger.isDebugEnabled()) {
logger.debug(
diff --git a/doc/xdocs/changes.xml b/doc/xdocs/changes.xml
index 8cc04352d9..a9226b380d 100644
--- a/doc/xdocs/changes.xml
+++ b/doc/xdocs/changes.xml
@@ -26,11 +26,14 @@