SEC-1870: HttpSessionDestroyedEvent#getSecurityContexts() broken #2102

spring-issuemaster opened this Issue Dec 14, 2011 · 1 comment

2 participants


Daniel Spilker (Migrated from SEC-1870) said:

The implementation of HttpSessionDestroyedEvent#getSecurityContexts() is broken. See the code snippet from the source below. The code retrieves the names of the session attributes which are Strings and test the Strings to be instances of SecurityContext in the loop. Strings are most likely not SecurityContexts, so the result of the method is always an empty list.

Enumeration<String> attributes = session.getAttributeNames();

ArrayList<SecurityContext> contexts = new ArrayList<SecurityContext>();

while(attributes.hasMoreElements()) {
    Object attribute = attributes.nextElement();
    if (attribute instanceof SecurityContext) {
        contexts.add((SecurityContext) attribute);

Rob Winch said:

Thanks for the bug submission. This is now fixed in master.

@spring-issuemaster spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment