Cwikius-Spring/spring-security
1
0
Fork 0
mirror of synced 2026-05-22 21:33:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-1190: Added "invalidateSessionOnPrincipalChange" property to AbstactPreAuthenticatedProcessingFilter. If set to true (the default) and a new principal is detected, the existing session will be invalidated before proceeding to authenticate the user.

Browse Source
This commit is contained in:
Luke Taylor
2009-09-01 00:18:48 +00:00
parent 3cc47c9c4d
commit b2c2b93545
1 changed files with 22 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
+22
View File
@@ -8,6 +8,7 @@ import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.context.ApplicationEventPublisher;
@@ -51,6 +52,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
private boolean checkForPrincipalChanges;
private boolean invalidateSessionOnPrincipalChange = true;
/**
* Check whether all required properties have been set.
*/
@@ -123,6 +126,15 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
!currentUser.getName().equals(principal)) {
logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
if (invalidateSessionOnPrincipalChange) {
HttpSession session = request.getSession(false);
if (session != null) {
logger.debug("Invalidating existing session");
session.invalidate();
}
}
return true;
}
@@ -197,6 +209,16 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
this.checkForPrincipalChanges = checkForPrincipalChanges;
}
/**
* If <tt>checkForPrincipalChanges</tt> is set, and a change of principal is detected, determines whether
* any existing session should be invalidated before proceeding to authenticate the new principal.
*
* @param invalidateSessionOnPrincipalChange <tt>false</tt> to retain the existing session. Defaults to <tt>true</tt>.
*/
public void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange) {
this.invalidateSessionOnPrincipalChange = invalidateSessionOnPrincipalChange;
}
/**
* Override to extract the principal information from the current request
*/