{
// get real session
HttpSession session = request.getSession();
if (session == null)
{
return new SessionException("Request has no session.");
}
String realSessionId = session.getId();
if (StringUtils.isBlank(realSessionId))
{
return new SessionException("Request session has no valid ID.");
}
// compare with claimed session
if (!realSessionId.equals(claimedSessionId))
{
log.error("Provided session ID '{}' does not match request session ID '{}'.", claimedSessionId,
realSessionId);
return new SessionException("Provided session ID does not match request session ID.");
}
}
// get the principal (throws if none available)
Principal principal = getPrincipal(request);