jcr/SecureThreadBoundSession.java

   1 package org.argeo.security.jcr;
   2
   3 import javax.jcr.Session;
   4
   5 import org.apache.commons.logging.Log;
   6 import org.apache.commons.logging.LogFactory;
   7 import org.argeo.jcr.ThreadBoundJcrSessionFactory;
   8 import org.springframework.security.Authentication;
   9 import org.springframework.security.context.SecurityContextHolder;
  10 import org.springframework.security.userdetails.UserDetails;
  11
  12 public class SecureThreadBoundSession extends ThreadBoundJcrSessionFactory {
  13         private final static Log log = LogFactory
  14                         .getLog(SecureThreadBoundSession.class);
  15
  16         @Override
  17         protected Session preCall(Session session) {
  18                 Authentication authentication = SecurityContextHolder.getContext()
  19                                 .getAuthentication();
  20                 if (authentication != null) {
  21                         String userID = session.getUserID();
  22                         UserDetails userDetails = (UserDetails) authentication.getDetails();
  23                         if (userDetails != null) {
  24                                 String currentUserName = userDetails.getUsername();
  25                                 if (!userID.equals(currentUserName)) {
  26                                         log.warn("Current session has user ID " + userID
  27                                                         + " while logged is user is " + currentUserName
  28                                                         + "(authentication=" + authentication + ")"
  29                                                         + ". Re-login.");
  30                                         return login();
  31                                 }
  32                         }
  33                 }
  34                 return super.preCall(session);
  35         }
  36
  37 }