security-web: possible reauthentication & session invalidation for same principal?

**mellster** · Jun 2nd, 2011, 05:25 PM

org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java:

The check !currentUser.getName().equals(principal) does not seem right as it is comparing a String to an Object, so principal change will be indicated and acted upon for any returned principal Object other than a String that equals currentUser.getName().

Code:

    private boolean requiresAuthentication(HttpServletRequest request) {
        Authentication currentUser = SecurityContextHolder.getContext().getAuthentication();

        if (currentUser == null) {
            return true;
        }

        Object principal = getPreAuthenticatedPrincipal(request);
        if (checkForPrincipalChanges &&
                !currentUser.getName().equals(principal)) {
            logger.debug("Pre-authenticated principal has changed to " + principal + " and will be reauthenticated");

TIA!

Thread: security-web: possible reauthentication & session invalidation for same principal?

Thread Tools

Display

Threaded View

security-web: possible reauthentication & session invalidation for same principal?

Tags for this Thread

Posting Permissions