From f449afdbed31ea1585ea95086c09aeaa7e6cfb42 Mon Sep 17 00:00:00 2001 From: maxcooper Date: Mon, 6 Jan 2003 04:16:32 +0000 Subject: [PATCH] session is now invalidated if the user re-authenticates --- .../org/securityfilter/filter/SecurityFilter.java | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/share/org/securityfilter/filter/SecurityFilter.java b/src/share/org/securityfilter/filter/SecurityFilter.java index cf5023c..2adbefc 100644 --- a/src/share/org/securityfilter/filter/SecurityFilter.java +++ b/src/share/org/securityfilter/filter/SecurityFilter.java @@ -1,7 +1,7 @@ /* - * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v 1.13 2003/01/06 01:14:23 maxcooper Exp $ - * $Revision: 1.13 $ - * $Date: 2003/01/06 01:14:23 $ + * $Header: /cvsroot/securityfilter/securityfilter/src/share/org/securityfilter/filter/SecurityFilter.java,v 1.14 2003/01/06 04:16:32 maxcooper Exp $ + * $Revision: 1.14 $ + * $Date: 2003/01/06 04:16:32 $ * * ==================================================================== * The SecurityFilter Software License, Version 1.1 @@ -75,7 +75,7 @@ import java.util.*; * * @author Max Cooper (max@maxcooper.com) * @author Torgeir Veimo (torgeir@pobox.com) - * @version $Revision: 1.13 $ $Date: 2003/01/06 01:14:23 $ + * @version $Revision: 1.14 $ $Date: 2003/01/06 04:16:32 $ */ public class SecurityFilter implements Filter { public static final String SAVED_REQUEST_URL = SecurityFilter.class.getName() + ".SAVED_REQUEST_URL"; @@ -121,9 +121,9 @@ public class SecurityFilter implements Filter { SecurityRequestWrapper wrappedRequest; // if the request has already been processed by the filter, pass it through unchecked - if (request.getAttribute(ALREADY_PROCESSED) == null) { + if (!TRUE.equals(request.getAttribute(ALREADY_PROCESSED))) { // set an attribute on this request to indicate that it has already been processed - request.setAttribute(ALREADY_PROCESSED, "true"); + request.setAttribute(ALREADY_PROCESSED, TRUE); // get a URLPatternMatcher to use for this thread URLPatternMatcher patternMatcher = patternFactory.createURLPatternMatcher(); @@ -336,6 +336,12 @@ public class SecurityFilter implements Filter { Principal principal = realm.authenticate(username, password); if (principal != null) { // login successful + // invalidate old session if the user was already authenticated + // NOTE: we may want to check if the user re-authenticated as the same user, currently + // the session will be invalidated even if the user authenticates as the same user. + if (request.getUserPrincipal() != null) { + request.getSession().invalidate(); + } request.setUserPrincipal(principal); String continueToURL = getContinueToURL(request); response.sendRedirect(response.encodeRedirectURL(continueToURL)); -- 2.11.0