X-Git-Url: https://git.argeo.org/?a=blobdiff_plain;f=security%2Fruntime%2Forg.argeo.security.core%2Fsrc%2Fmain%2Fjava%2Forg%2Fargeo%2Fsecurity%2Fjcr%2FSecureThreadBoundSession.java;h=9e16f3f643ce099467eeabfb90771c1fbedb84b5;hb=1d5afdce3e91054f07ddd3c98309c363b4cf1d46;hp=db2cfccbc692abd434386638d09b6ce6b06d47e5;hpb=149023e5969377045847bbecf24b0898b18a67a9;p=lgpl%2Fargeo-commons.git diff --git a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java index db2cfccbc..9e16f3f64 100644 --- a/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java +++ b/security/runtime/org.argeo.security.core/src/main/java/org/argeo/security/jcr/SecureThreadBoundSession.java @@ -1,48 +1,50 @@ +/* + * Copyright (C) 2007-2012 Mathieu Baudier + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ package org.argeo.security.jcr; import javax.jcr.Session; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; -import org.argeo.jcr.ThreadBoundJcrSessionFactory; -import org.springframework.beans.factory.DisposableBean; -import org.springframework.beans.factory.FactoryBean; -import org.springframework.beans.factory.InitializingBean; +import org.argeo.jcr.spring.ThreadBoundSession; import org.springframework.security.Authentication; import org.springframework.security.context.SecurityContextHolder; -import org.springframework.security.userdetails.UserDetails; /** * Thread bounded JCR session factory which checks authentication and is * autoconfigured in Spring. */ -public class SecureThreadBoundSession extends ThreadBoundJcrSessionFactory - implements FactoryBean, InitializingBean, DisposableBean { +public class SecureThreadBoundSession extends ThreadBoundSession { private final static Log log = LogFactory .getLog(SecureThreadBoundSession.class); - public void afterPropertiesSet() throws Exception { - init(); - } - - public void destroy() throws Exception { - dispose(); - } - @Override protected Session preCall(Session session) { Authentication authentication = SecurityContextHolder.getContext() .getAuthentication(); if (authentication != null) { String userID = session.getUserID(); - UserDetails userDetails = (UserDetails) authentication.getDetails(); - if (userDetails != null) { - String currentUserName = userDetails.getUsername(); + String currentUserName = authentication.getName(); + if (currentUserName != null) { if (!userID.equals(currentUserName)) { log.warn("Current session has user ID " + userID + " while logged is user is " + currentUserName + "(authentication=" + authentication + ")" + ". Re-login."); + // TODO throw an exception return login(); } }