Spring Security
  1. Spring Security
  2. SEC-1695

Allow HttpSessionSecurityContextRepository to have different session key for different instances

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Complete
    • Affects Version/s: 3.0.5
    • Fix Version/s: 3.1.0.RC3
    • Component/s: Web
    • Labels:
      None

      Description

      The HttpSessionSecurityContextRepository class has a constant SPRING_SECURITY_CONTEXT_KEY that defines the session attribute that the security context for the current user is stored in.

      If you have two different security:http configurations in the same web application they would both share the same security context, so if they logged in using one configuration then that would be shared by the other configuration.

      If the constant was replaced by a springSecurityContextKey field and a setSpringSecurityContextKey then the user would be able to specify a different session attribute for each security configuration.

      A further enhancement would be to add a springSecurityContextKey attribute to the security:http, that if present would create a HttpSessionSecurityContextRepository with the session key.

        Activity

        Hide
        Luke Taylor added a comment -

        I've added a springSecurityContextKey property to HttpSessionSecurityContextRepository. I don't want to add this to the namespace since it is not a common requirement and there is already an injection point for the SecurityContextRepository instance.

        This also requires a change to the API of SessionDestroyedEvent which assumed there is only a single context in the session. The getSecurityContext() method has been replaced with getSecurityContexts() which returns a List.

        Show
        Luke Taylor added a comment - I've added a springSecurityContextKey property to HttpSessionSecurityContextRepository. I don't want to add this to the namespace since it is not a common requirement and there is already an injection point for the SecurityContextRepository instance. This also requires a change to the API of SessionDestroyedEvent which assumed there is only a single context in the session. The getSecurityContext() method has been replaced with getSecurityContexts() which returns a List.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Paul Austin
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: