1 package org
.argeo
.security
.jcr
;
3 import javax
.jcr
.Session
;
5 import org
.apache
.commons
.logging
.Log
;
6 import org
.apache
.commons
.logging
.LogFactory
;
7 import org
.argeo
.jcr
.spring
.ThreadBoundSession
;
8 import org
.springframework
.security
.Authentication
;
9 import org
.springframework
.security
.context
.SecurityContextHolder
;
12 * Thread bounded JCR session factory which checks authentication and is
13 * autoconfigured in Spring.
15 public class SecureThreadBoundSession
extends ThreadBoundSession
{
16 private final static Log log
= LogFactory
17 .getLog(SecureThreadBoundSession
.class);
20 protected Session
preCall(Session session
) {
21 Authentication authentication
= SecurityContextHolder
.getContext()
23 if (authentication
!= null) {
24 String userID
= session
.getUserID();
25 String currentUserName
= authentication
.getName();
26 if (currentUserName
!= null) {
27 if (!userID
.equals(currentUserName
)) {
28 log
.warn("Current session has user ID " + userID
29 + " while logged is user is " + currentUserName
30 + "(authentication=" + authentication
+ ")"
32 // TODO throw an exception
37 return super.preCall(session
);