From e89195f6db7720023370463255caea99b158cda1 Mon Sep 17 00:00:00 2001
From: Sebastian Sdorra <sebastian.sdorra@cloudogu.com>
Date: Sat, 6 Oct 2012 18:35:09 +0200
Subject: [PATCH] improve security of administration context

---
 .../web/security/DefaultAdministrationContext.java    | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java b/scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java
index 376c8d2574..50a3ea3138 100644
--- a/scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java
+++ b/scm-webapp/src/main/java/sonia/scm/web/security/DefaultAdministrationContext.java
@@ -117,13 +117,15 @@ public class DefaultAdministrationContext implements AdministrationContext
 
     Subject subject = SecurityUtils.getSubject();
 
+    String principal = (String) subject.getPrincipal();
+
     if (logger.isInfoEnabled())
     {
       String username = null;
 
       if (subject.isAuthenticated())
       {
-        username = subject.getPrincipal().toString();
+        username = principal;
       }
       else
       {
@@ -150,6 +152,13 @@ public class DefaultAdministrationContext implements AdministrationContext
         logger.debug("release runas for user {}",
           collection.getPrimaryPrincipal());
       }
+
+      if (!subject.getPrincipal().equals(principal))
+      {
+        logger.error("release runas failed, {} is not equal with {}, logout.",
+          subject.getPrincipal(), principal);
+        subject.logout();
+      }
     }
   }