]> git.argeo.org Git - lgpl/argeo-commons.git/blob - security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Improve system execution
[lgpl/argeo-commons.git] / security / runtime / org.argeo.security.core / src / main / java / org / argeo / security / jcr / SecureThreadBoundSession.java
1 package org.argeo.security.jcr;
2
3 import javax.jcr.Session;
4
5 import org.apache.commons.logging.Log;
6 import org.apache.commons.logging.LogFactory;
7 import org.argeo.jcr.spring.ThreadBoundSession;
8 import org.springframework.security.Authentication;
9 import org.springframework.security.context.SecurityContextHolder;
10
11 /**
12 * Thread bounded JCR session factory which checks authentication and is
13 * autoconfigured in Spring.
14 */
15 public class SecureThreadBoundSession extends ThreadBoundSession {
16 private final static Log log = LogFactory
17 .getLog(SecureThreadBoundSession.class);
18
19 @Override
20 protected Session preCall(Session session) {
21 Authentication authentication = SecurityContextHolder.getContext()
22 .getAuthentication();
23 if (authentication != null) {
24 String userID = session.getUserID();
25 String currentUserName = authentication.getName();
26 if (currentUserName != null) {
27 if (!userID.equals(currentUserName)) {
28 log.warn("Current session has user ID " + userID
29 + " while logged is user is " + currentUserName
30 + "(authentication=" + authentication + ")"
31 + ". Re-login.");
32 // TODO throw an exception
33 return login();
34 }
35 }
36 }
37 return super.preCall(session);
38 }
39
40 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi