[appfuse-issues] [JIRA] Resolved: (APF-388) If user name changed, user not flushed from Acegi user cache

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[appfuse-issues] [JIRA] Resolved: (APF-388) If user name changed, user not flushed from Acegi user cache

AppFuse - Issues mailing list
     [ http://issues.appfuse.org/browse/APF-388?page=all ]
     
Matt Raible resolved APF-388:
-----------------------------

    Resolution: Fixed

Fixed - thanks for the patch!

> If user name changed, user not flushed from Acegi user cache
> ------------------------------------------------------------
>
>          Key: APF-388
>          URL: http://issues.appfuse.org/browse/APF-388
>      Project: AppFuse
>         Type: Bug

>   Components: Security
>     Versions: 1.9.2
>     Reporter: Dennis Doubleday
>     Assignee: Matt Raible
>      Fix For: 1.9.3

>
> I noticed a slight bug in the afterReturning method of the UserSecurityAdvice: if the thing about the user that changed was his name, then the way it is written now is that it will flush the new name from the acegi user cache, but what you actually want to do is flush the old name, particularly if the user that changed was the current one. Otherwise, the auth object won't get updated.
>             userCache.removeUserFromCache(user.getUsername());
>            
>             // reset the authentication object if current user
>             Authentication auth = SecurityContextHolder.getContext().getAuthentication();
>             if (auth != null && auth.getPrincipal() instanceof UserDetails) {
>                 User currentUser = (User) auth.getPrincipal();
>                 if (currentUser.getUsername().equalsIgnoreCase(user.getUsername())) {
>                     auth = new UsernamePasswordAuthenticationToken(user, user.getPassword(), user.getAuthorities());
> You need to test something like this:
>             if (currentUser.getId().equals(user.getId())) {
>                 if (!currentUser.getUsername().
>                                 equalsIgnoreCase(user.getUsername())) {
>                     // The name of the current user changed, so the
>                     // previous flush won't have done anything. Flush the
>                     // old name, too.
>                     flushCache(currentUser.getUsername());
>                 }

--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
   http://issues.appfuse.org/secure/Administrators.jspa
-
For more information on JIRA, see:
   http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]