2 * Copyright (C) 2007-2012 Argeo GmbH
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 package org
.argeo
.security
.jcr
;
18 import javax
.jcr
.Session
;
20 import org
.apache
.commons
.logging
.Log
;
21 import org
.apache
.commons
.logging
.LogFactory
;
22 import org
.argeo
.jcr
.spring
.ThreadBoundSession
;
23 import org
.springframework
.security
.core
.Authentication
;
24 import org
.springframework
.security
.core
.context
.SecurityContextHolder
;
27 * Thread bounded JCR session factory which checks authentication and is
28 * autoconfigured in Spring.
30 public class SecureThreadBoundSession
extends ThreadBoundSession
{
31 private final static Log log
= LogFactory
32 .getLog(SecureThreadBoundSession
.class);
35 protected Session
preCall(Session session
) {
36 Authentication authentication
= SecurityContextHolder
.getContext()
38 if (authentication
!= null) {
39 String userID
= session
.getUserID();
40 String currentUserName
= authentication
.getName();
41 if (currentUserName
!= null) {
42 if (!userID
.equals(currentUserName
)) {
43 log
.warn("Current session has user ID " + userID
44 + " while logged is user is " + currentUserName
45 + "(authentication=" + authentication
+ ")"
47 // TODO throw an exception
52 return super.preCall(session
);