SEC-1870: HttpSessionDestroyedEvent#getSecurityContexts() broken #2102

Closed
spring-issuemaster opened this Issue Dec 14, 2011 · 1 comment

Comments

Projects
None yet
2 participants

Daniel Spilker (Migrated from SEC-1870) said:

The implementation of HttpSessionDestroyedEvent#getSecurityContexts() is broken. See the code snippet from the source below. The code retrieves the names of the session attributes which are Strings and test the Strings to be instances of SecurityContext in the loop. Strings are most likely not SecurityContexts, so the result of the method is always an empty list.

Enumeration<String> attributes = session.getAttributeNames();

ArrayList<SecurityContext> contexts = new ArrayList<SecurityContext>();

while(attributes.hasMoreElements()) {
    Object attribute = attributes.nextElement();
    if (attribute instanceof SecurityContext) {
        contexts.add((SecurityContext) attribute);
    }
}

Rob Winch said:

Thanks for the bug submission. This is now fixed in master.

spring-issuemaster added this to the 3.1.1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment