Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1695: Allow HttpSessionSecurityContextRepository to have different session key for different instances #1932

spring-issuemaster opened this Issue Mar 9, 2011 · 1 comment


None yet
1 participant

Paul Austin (Migrated from SEC-1695) said:

The HttpSessionSecurityContextRepository class has a constant SPRING_SECURITY_CONTEXT_KEY that defines the session attribute that the security context for the current user is stored in.

If you have two different security:http configurations in the same web application they would both share the same security context, so if they logged in using one configuration then that would be shared by the other configuration.

If the constant was replaced by a springSecurityContextKey field and a setSpringSecurityContextKey then the user would be able to specify a different session attribute for each security configuration.

A further enhancement would be to add a springSecurityContextKey attribute to the security:http, that if present would create a HttpSessionSecurityContextRepository with the session key.

Luke Taylor said:

I've added a springSecurityContextKey property to HttpSessionSecurityContextRepository. I don't want to add this to the namespace since it is not a common requirement and there is already an injection point for the SecurityContextRepository instance.

This also requires a change to the API of SessionDestroyedEvent which assumed there is only a single context in the session. The getSecurityContext() method has been replaced with getSecurityContexts() which returns a List.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.RC3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment