From b2c2b93545acba8f3def6082e7d9fa9d9e43a67f Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Tue, 1 Sep 2009 00:18:48 +0000
Subject: [PATCH] SEC-1190: Added "invalidateSessionOnPrincipalChange" property
 to AbstactPreAuthenticatedProcessingFilter. If set to true (the default) and
 a new principal is detected, the existing session will be invalidated before
 proceeding to authenticate the user.

---
 ...tractPreAuthenticatedProcessingFilter.java | 22 +++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
index 988321f325..b2a8040653 100755
--- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java
@@ -8,6 +8,7 @@ import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 
 import org.springframework.beans.factory.InitializingBean;
 import org.springframework.context.ApplicationEventPublisher;
@@ -51,6 +52,8 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
 
     private boolean checkForPrincipalChanges;
 
+    private boolean invalidateSessionOnPrincipalChange = true;
+
     /**
      * Check whether all required properties have been set.
      */
@@ -123,6 +126,15 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
                 !currentUser.getName().equals(principal)) {
             logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");
 
+            if (invalidateSessionOnPrincipalChange) {
+                HttpSession session = request.getSession(false);
+
+                if (session != null) {
+                    logger.debug("Invalidating existing session");
+                    session.invalidate();
+                }
+            }
+
             return true;
         }
 
@@ -197,6 +209,16 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
         this.checkForPrincipalChanges = checkForPrincipalChanges;
     }
 
+    /**
+     * If <tt>checkForPrincipalChanges</tt> is set, and a change of principal is detected, determines whether
+     * any existing session should be invalidated before proceeding to authenticate the new principal.
+     *
+     * @param invalidateSessionOnPrincipalChange <tt>false</tt> to retain the existing session. Defaults to <tt>true</tt>.
+     */
+    public void setInvalidateSessionOnPrincipalChange(boolean invalidateSessionOnPrincipalChange) {
+        this.invalidateSessionOnPrincipalChange = invalidateSessionOnPrincipalChange;
+    }
+
     /**
      * Override to extract the principal information from the current request
      */