]> git.argeo.org Git - lgpl/argeo-commons.git/blob - security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java
projects / lgpl / argeo-commons.git / blob
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Introduce AsyncSystemTaskExecutor
[lgpl/argeo-commons.git] / security / runtime / org.argeo.security.core / src / main / java / org / argeo / security / jcr / SecureThreadBoundSession.java
1 package org.argeo.security.jcr;
2
3 import javax.jcr.Session;
4
5 import org.apache.commons.logging.Log;
6 import org.apache.commons.logging.LogFactory;
7 import org.argeo.jcr.spring.ThreadBoundSession;
8 import org.springframework.security.Authentication;
9 import org.springframework.security.context.SecurityContextHolder;
10 import org.springframework.security.userdetails.UserDetails;
11
12 /**
13 * Thread bounded JCR session factory which checks authentication and is
14 * autoconfigured in Spring.
15 */
16 public class SecureThreadBoundSession extends ThreadBoundSession {
17 private final static Log log = LogFactory
18 .getLog(SecureThreadBoundSession.class);
19
20 @Override
21 protected Session preCall(Session session) {
22 Authentication authentication = SecurityContextHolder.getContext()
23 .getAuthentication();
24 if (authentication != null) {
25 String userID = session.getUserID();
26 UserDetails userDetails = (UserDetails) authentication.getDetails();
27 if (userDetails != null) {
28 String currentUserName = userDetails.getUsername();
29 if (!userID.equals(currentUserName)) {
30 log.warn("Current session has user ID " + userID
31 + " while logged is user is " + currentUserName
32 + "(authentication=" + authentication + ")"
33 + ". Re-login.");
34 return login();
35 }
36 }
37 }
38 return super.preCall(session);
39 }
40
41 }
Argeo Commons - Lightweight integration framework in pure Java/OSGi