Skip to content

Commit

Permalink
Adjust createNewSessionIfAllowed to prevent NPE
Browse files Browse the repository at this point in the history
Ensure that isTransientAuthentication reuses the same authentication object from saveContext

Closes gh-8947
  • Loading branch information
marcusdacoregio authored and jzheaux committed May 26, 2021
1 parent cf74ad3 commit 2a7998d
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 5 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -348,7 +348,7 @@ protected void saveContext(SecurityContext context) {
}
return;
}
httpSession = (httpSession != null) ? httpSession : createNewSessionIfAllowed(context);
httpSession = (httpSession != null) ? httpSession : createNewSessionIfAllowed(context, authentication);
// If HttpSession exists, store current SecurityContext but only if it has
// actually changed in this thread (see SEC-37, SEC-1307, SEC-1528)
if (httpSession != null) {
Expand All @@ -369,8 +369,8 @@ private boolean contextChanged(SecurityContext context) {
|| context.getAuthentication() != this.authBeforeExecution;
}

private HttpSession createNewSessionIfAllowed(SecurityContext context) {
if (isTransientAuthentication(context.getAuthentication())) {
private HttpSession createNewSessionIfAllowed(SecurityContext context, Authentication authentication) {
if (isTransientAuthentication(authentication)) {
return null;
}
if (this.httpSessionExistedAtStartOfRequest) {
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 the original author or authors.
* Copyright 2002-2021 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
Expand Down Expand Up @@ -628,6 +628,22 @@ public void saveContextWhenTransientAuthenticationWithCustomAnnotationThenSkippe
assertThat(session).isNull();
}

// gh-8947
@Test
public void saveContextWhenSecurityContextAuthenticationUpdatedToNullThenSkipped() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SomeOtherTransientAuthentication authentication = new SomeOtherTransientAuthentication();
repo.loadContext(holder);
SecurityContext context = mock(SecurityContext.class);
given(context.getAuthentication()).willReturn(authentication).willReturn(null);
repo.saveContext(context, holder.getRequest(), holder.getResponse());
MockHttpSession session = (MockHttpSession) request.getSession(false);
assertThat(session).isNull();
}

private SecurityContext createSecurityContext(UserDetails userDetails) {
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(userDetails,
userDetails.getPassword(), userDetails.getAuthorities());
Expand Down

0 comments on commit 2a7998d

Please sign in to comment.