1 package org
.argeo
.security
.jcr
;
3 import javax
.jcr
.Session
;
5 import org
.apache
.commons
.logging
.Log
;
6 import org
.apache
.commons
.logging
.LogFactory
;
7 import org
.argeo
.jcr
.spring
.ThreadBoundSession
;
8 import org
.springframework
.security
.Authentication
;
9 import org
.springframework
.security
.context
.SecurityContextHolder
;
10 import org
.springframework
.security
.userdetails
.UserDetails
;
13 * Thread bounded JCR session factory which checks authentication and is
14 * autoconfigured in Spring.
16 public class SecureThreadBoundSession
extends ThreadBoundSession
{
17 private final static Log log
= LogFactory
18 .getLog(SecureThreadBoundSession
.class);
21 protected Session
preCall(Session session
) {
22 Authentication authentication
= SecurityContextHolder
.getContext()
24 if (authentication
!= null) {
25 String userID
= session
.getUserID();
26 UserDetails userDetails
= (UserDetails
) authentication
.getDetails();
27 if (userDetails
!= null) {
28 String currentUserName
= userDetails
.getUsername();
29 if (!userID
.equals(currentUserName
)) {
30 log
.warn("Current session has user ID " + userID
31 + " while logged is user is " + currentUserName
32 + "(authentication=" + authentication
+ ")"
38 return super.preCall(session
);