Skip to content

Prevent Save @Transient Authentication with existing HttpSession #9993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Prevent Save @Transient Authentication with existing HttpSession #9993

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 6 additions & 3 deletions ...n/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,9 @@ public void setSpringSecurityContextKey(String springSecurityContextKey) {
}

private boolean isTransientAuthentication(Authentication authentication) {
if (authentication == null) {
return false;
}
return AnnotationUtils.getAnnotation(authentication.getClass(), Transient.class) != null;
}

Expand Down Expand Up @@ -327,6 +330,9 @@ final class SaveToSessionResponseWrapper extends SaveContextOnUpdateOrErrorRespo
@Override
protected void saveContext(SecurityContext context) {
final Authentication authentication = context.getAuthentication();
if (isTransientAuthentication(authentication)) {
return;
}
HttpSession httpSession = this.request.getSession(false);
String springSecurityContextKey = HttpSessionSecurityContextRepository.this.springSecurityContextKey;
// See SEC-776
Expand Down Expand Up @@ -370,9 +376,6 @@ private boolean contextChanged(SecurityContext context) {
}

private HttpSession createNewSessionIfAllowed(SecurityContext context, Authentication authentication) {
if (isTransientAuthentication(authentication)) {
return null;
}
if (this.httpSessionExistedAtStartOfRequest) {
this.logger.debug("HttpSession is now null, but was not null at start of request; "
+ "session was invalidated, so do not create a new session");
Expand Down
16 changes: 16 additions & 0 deletions ...a/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.util.Collections;

import javax.servlet.Filter;
import javax.servlet.ServletException;
Expand Down Expand Up @@ -614,6 +615,21 @@ public void saveContextWhenTransientAuthenticationSubclassThenSkipped() {
assertThat(session).isNull();
}

@Test
public void saveContextWhenTransientAuthenticationAndSessionExistsThenSkipped() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
request.getSession(); // ensure the session exists
MockHttpServletResponse response = new MockHttpServletResponse();
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContext context = repo.loadContext(holder);
SomeTransientAuthentication authentication = new SomeTransientAuthentication();
context.setAuthentication(authentication);
repo.saveContext(context, holder.getRequest(), holder.getResponse());
MockHttpSession session = (MockHttpSession) request.getSession(false);
assertThat(Collections.list(session.getAttributeNames())).isEmpty();
}

@Test
public void saveContextWhenTransientAuthenticationWithCustomAnnotationThenSkipped() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
Expand Down