Spring Security
  1. Spring Security
  2. SEC-1870

HttpSessionDestroyedEvent#getSecurityContexts() broken

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.1
    • Component/s: Web
    • Labels:
      None

      Description

      The implementation of HttpSessionDestroyedEvent#getSecurityContexts() is broken. See the code snippet from the source below. The code retrieves the names of the session attributes which are Strings and test the Strings to be instances of SecurityContext in the loop. Strings are most likely not SecurityContexts, so the result of the method is always an empty list.

      Enumeration<String> attributes = session.getAttributeNames();
      
      ArrayList<SecurityContext> contexts = new ArrayList<SecurityContext>();
      
      while(attributes.hasMoreElements()) {
          Object attribute = attributes.nextElement();
          if (attribute instanceof SecurityContext) {
              contexts.add((SecurityContext) attribute);
          }
      }
      

        Issue Links

          Activity

          Hide
          Rob Winch added a comment -

          Thanks for the bug submission. This is now fixed in master.

          Show
          Rob Winch added a comment - Thanks for the bug submission. This is now fixed in master.

            People

            • Assignee:
              Rob Winch
              Reporter:
              Daniel Spilker
            • Votes:
              6 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: