Create new SecurityContext when the Authentication is changed during …

…login
eclipse-pass · Apr 4, 2024 · 3338fa0 · 3338fa0
1 parent 99ba262
commit 3338fa0
Showing 1 changed file with 6 additions and 3 deletions.
diff --git a/pass-core-main/src/main/java/org/eclipse/pass/main/security/PassAuthenticationFilter.java b/pass-core-main/src/main/java/org/eclipse/pass/main/security/PassAuthenticationFilter.java
@@ -321,15 +321,18 @@ private String get(Map<String, List<Object>> attributes, Attribute attr, boolean
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
             throws ServletException, IOException {
-        SecurityContext context = this.securityContextHolderStrategy.getContext();
-        Authentication auth = context.getAuthentication();
+        Authentication auth = securityContextHolderStrategy.getContext().getAuthentication();
 
         if (auth != null && auth.isAuthenticated() && auth.getPrincipal() instanceof Saml2AuthenticatedPrincipal) {
             try {
+                SecurityContext context = securityContextHolderStrategy.createEmptyContext();
+
                 context.setAuthentication(authenticate((Saml2AuthenticatedPrincipal) auth.getPrincipal()));
+
+                securityContextHolderStrategy.setContext(context);
                 securityContextRepository.saveContext(context, request, response);
 
-                LOG.debug("Shib user logged in {}", auth.getName());
+                LOG.debug("User logged in {}", auth.getName());
             } catch (AuthenticationException e) {
                 // This should not happen
                 LOG.error("Login failed", e);