Optimize HttpSessionSecurityContextRepository

Closes gh-9387
spring-projects · Feb 11, 2021 · 38e9e8c · 38e9e8c
1 parent 996ccc0
commit 38e9e8c
Showing 1 changed file with 5 additions and 9 deletions.
diff --git a/...n/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java b/...n/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
@@ -142,13 +142,7 @@ public void saveContext(SecurityContext context, HttpServletRequest request,
 							+ response
 							+ ". You must use the HttpRequestResponseHolder.response after invoking loadContext");
 		}
-		// saveContext() might already be called by the response wrapper
-		// if something in the chain called sendError() or sendRedirect(). This ensures we
-		// only call it
-		// once per request.
-		if (!responseWrapper.isContextSaved()) {
-			responseWrapper.saveContext(context);
-		}
+		responseWrapper.saveContext(context);
 	}
 
 	public boolean containsContext(HttpServletRequest request) {
@@ -305,6 +299,7 @@ final class SaveToSessionResponseWrapper extends
 		private final boolean httpSessionExistedAtStartOfRequest;
 		private final SecurityContext contextBeforeExecution;
 		private final Authentication authBeforeExecution;
+		private boolean isSaveContextInvoked;
 
 		/**
 		 * Takes the parameters required to call <code>saveContext()</code> successfully
@@ -355,6 +350,7 @@ protected void saveContext(SecurityContext context) {
 					// SEC-1587 A non-anonymous context may still be in the session
 					// SEC-1735 remove if the contextBeforeExecution was not anonymous
 					httpSession.removeAttribute(springSecurityContextKey);
+					this.isSaveContextInvoked = true;
 				}
 				return;
 			}
@@ -371,7 +367,7 @@ protected void saveContext(SecurityContext context) {
 				if (contextChanged(context)
 						|| httpSession.getAttribute(springSecurityContextKey) == null) {
 					httpSession.setAttribute(springSecurityContextKey, context);
-
+					this.isSaveContextInvoked = true;
 					if (logger.isDebugEnabled()) {
 						logger.debug("SecurityContext '" + context
 								+ "' stored to HttpSession: '" + httpSession);
@@ -381,7 +377,7 @@ protected void saveContext(SecurityContext context) {
 		}
 
 		private boolean contextChanged(SecurityContext context) {
-			return context != contextBeforeExecution
+			return this.isSaveContextInvoked || context != contextBeforeExecution
 					|| context.getAuthentication() != authBeforeExecution;
 		}