From a056946c490168b159d033de1252126442040b94 Mon Sep 17 00:00:00 2001 From: Ben Alex Date: Fri, 18 Mar 2005 00:50:12 +0000 Subject: [PATCH] HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection. --- .../HttpSessionContextIntegrationFilter.java | 23 +++++++++++++++---- doc/xdocs/changes.xml | 7 ++++-- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java index 6acf9c1963..f5bd4c14d2 100644 --- a/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java +++ b/core/src/main/java/org/acegisecurity/context/HttpSessionContextIntegrationFilter.java @@ -76,13 +76,13 @@ import javax.servlet.http.HttpSession; * similar clients that will never present the same jsessionid * etc), the {@link #setAllowSessionCreation(boolean)} should be set to * false. Only do this if you really need to conserve server - * memory and ensure all classes using the ContextHolder - * are designed to have no persistence of the Context between web + * memory and ensure all classes using the ContextHolder are + * designed to have no persistence of the Context between web * requests. *

* *

- * This filter MUST be executed BEFORE any authentication processing mechanisms. + * This filter MUST be executed BEFORE any authentication procesing mechanisms. * Authentication processing mechanisms (eg BASIC, CAS processing filters etc) * expect the ContextHolder to contain a valid * SecureContext by the time they execute. @@ -166,12 +166,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, } HttpSession httpSession = null; + boolean httpSessionExistedAtStartOfRequest = false; try { httpSession = ((HttpServletRequest) request).getSession(false); } catch (IllegalStateException ignored) {} if (httpSession != null) { + httpSessionExistedAtStartOfRequest = true; + Object contextObject = httpSession.getAttribute(ACEGI_SECURITY_CONTEXT_KEY); if (contextObject != null) { @@ -213,6 +216,11 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, } } + // Make the HttpSession null, as we want to ensure we don't keep + // a reference to the HttpSession laying around in case the + // chain.doFilter() invalidates it. + httpSession = null; + // Proceed with chain chain.doFilter(request, response); @@ -221,8 +229,15 @@ public class HttpSessionContextIntegrationFilter implements InitializingBean, httpSession = ((HttpServletRequest) request).getSession(false); } catch (IllegalStateException ignored) {} + if ((httpSession == null) && httpSessionExistedAtStartOfRequest) { + if (logger.isDebugEnabled()) { + logger.debug( + "HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session"); + } + } + // Generate a HttpSession only if we need to - if (httpSession == null) { + if ((httpSession == null) && !httpSessionExistedAtStartOfRequest) { if (!allowSessionCreation) { if (logger.isDebugEnabled()) { logger.debug( diff --git a/doc/xdocs/changes.xml b/doc/xdocs/changes.xml index 8cc04352d9..a9226b380d 100644 --- a/doc/xdocs/changes.xml +++ b/doc/xdocs/changes.xml @@ -26,11 +26,14 @@ + X509 (certificate-based) authentication support + ContextHolderAwareRequestWrapper methods returns null if user is anonymous + AbstractBasicAclEntry improved compatibility with Hibernate SecurityEnforcementFilter caused NullPointerException when anonymous authentication used with BasicProcessingFilterEntryPoint FilterChainProxy now supports replacement of ServletRequest and ServetResponse by Filter beans Corrected Authz parsing of whitespace in GrantedAuthoritys - ContextHolderAwareRequestWrapper methods returns null if user is anonymous - AbstractBasicAclEntry improved compatibility with Hibernate + TokenBasedRememberMeServices now respects expired users, expired credentials and disabled users + HttpSessionContextIntegrationFilter now handles HttpSession invalidation without redirection Added Digest Authentication support (RFC 2617 and RFC 2069)