Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1870: HttpSessionDestroyedEvent#getSecurityContexts() broken #2102

spring-issuemaster opened this Issue Dec 14, 2011 · 1 comment


None yet
2 participants

Daniel Spilker (Migrated from SEC-1870) said:

The implementation of HttpSessionDestroyedEvent#getSecurityContexts() is broken. See the code snippet from the source below. The code retrieves the names of the session attributes which are Strings and test the Strings to be instances of SecurityContext in the loop. Strings are most likely not SecurityContexts, so the result of the method is always an empty list.

Enumeration<String> attributes = session.getAttributeNames();

ArrayList<SecurityContext> contexts = new ArrayList<SecurityContext>();

while(attributes.hasMoreElements()) {
    Object attribute = attributes.nextElement();
    if (attribute instanceof SecurityContext) {
        contexts.add((SecurityContext) attribute);

Rob Winch said:

Thanks for the bug submission. This is now fixed in master.

@spring-issuemaster spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment