X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.core%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjcr%2FSecureThreadBoundSession.java;fp=security%2Fruntime%2Forg.argeo.security.core%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjcr%2FSecureThreadBoundSession.java;h=c83f3b5943d862b5b1d6a9f1481ec28aac95acb0;hb=2745f0c8c57d9468855179d56f858fb2448f779c;hp=0000000000000000000000000000000000000000;hpb=113e31e7c85bfad76d3c2ce6c20d63557a6fc02a;p=lgpl%2Fargeo-commons.git

diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java
new file mode 100644
index 000000000..c83f3b594
--- /dev/null
+++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java
@@ -0,0 +1,31 @@
+package org.argeo.security.jcr;
+
+import javax.jcr.Session;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+import org.argeo.jcr.ThreadBoundJcrSessionFactory;
+import org.springframework.security.Authentication;
+import org.springframework.security.context.SecurityContextHolder;
+
+public class SecureThreadBoundSession extends ThreadBoundJcrSessionFactory {
+	private final static Log log = LogFactory
+			.getLog(SecureThreadBoundSession.class);
+
+	@Override
+	protected Session preCall(Session session) {
+		Authentication authentication = SecurityContextHolder.getContext()
+				.getAuthentication();
+		if (authentication != null) {
+			if (!session.getUserID().equals(
+					authentication.getPrincipal().toString())) {
+				log.warn("Current session has user ID " + session.getUserID()
+						+ " while authentication is " + authentication
+						+ ". Re-login.");
+				return login();
+			}
+		}
+		return super.preCall(session);
+	}
+
+}