Remove Servlet 2.5 Support for Session Fixation
This commit removes existence validation of a method only available in Servlet 3.1. Spring Framework baseline is Servlet 3.1 so is not longer required. Fixes: gh-6259
This commit is contained in:
committed by
Josh Cummings
parent
4123d96cd5
commit
086b105273
@@ -17,7 +17,6 @@ package org.springframework.security.config.annotation.web.configurers;
|
||||
|
||||
import java.lang.reflect.Method;
|
||||
import javax.servlet.Filter;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
@@ -25,7 +24,6 @@ import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.powermock.core.classloader.annotations.PowerMockIgnore;
|
||||
import org.powermock.core.classloader.annotations.PrepareForTest;
|
||||
import org.powermock.modules.junit4.PowerMockRunner;
|
||||
|
||||
import org.springframework.context.ConfigurableApplicationContext;
|
||||
@@ -44,21 +42,14 @@ import org.springframework.security.web.context.HttpRequestResponseHolder;
|
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||
import org.springframework.security.web.csrf.CsrfToken;
|
||||
import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
|
||||
import static org.mockito.Matchers.any;
|
||||
import static org.mockito.Matchers.same;
|
||||
import static org.powermock.api.mockito.PowerMockito.mock;
|
||||
import static org.powermock.api.mockito.PowerMockito.spy;
|
||||
import static org.powermock.api.mockito.PowerMockito.verifyStatic;
|
||||
import static org.powermock.api.mockito.PowerMockito.when;
|
||||
import static org.assertj.core.api.AssertionsForInterfaceTypes.assertThat;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Rob Winch
|
||||
*/
|
||||
@RunWith(PowerMockRunner.class)
|
||||
@PrepareForTest({ ReflectionUtils.class, Method.class })
|
||||
@PowerMockIgnore({ "org.w3c.dom.*", "org.xml.sax.*", "org.apache.xerces.*", "javax.xml.parsers.*" })
|
||||
public class SessionManagementConfigurerServlet31Tests {
|
||||
@Mock
|
||||
@@ -87,10 +78,9 @@ public class SessionManagementConfigurerServlet31Tests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void changeSessionIdDefaultsInServlet31Plus() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
Method method = mock(Method.class);
|
||||
public void changeSessionIdThenPreserveParameters() throws Exception {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
String id = request.getSession().getId();
|
||||
request.getSession();
|
||||
request.setServletPath("/login");
|
||||
request.setMethod("POST");
|
||||
@@ -100,15 +90,14 @@ public class SessionManagementConfigurerServlet31Tests {
|
||||
CsrfToken token = repository.generateToken(request);
|
||||
repository.saveToken(token, request, response);
|
||||
request.setParameter(token.getParameterName(), token.getToken());
|
||||
when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId"))
|
||||
.thenReturn(method);
|
||||
request.getSession().setAttribute("attribute1", "value1");
|
||||
|
||||
loadConfig(SessionManagementDefaultSessionFixationServlet31Config.class);
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
verifyStatic(ReflectionUtils.class);
|
||||
ReflectionUtils.invokeMethod(same(method), any(HttpServletRequest.class));
|
||||
assertThat(!request.getSession().getId().equals(id));
|
||||
assertThat(request.getSession().getAttribute("attribute1").equals("value1"));
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
|
||||
@@ -17,7 +17,6 @@ package org.springframework.security.config.http;
|
||||
|
||||
import java.lang.reflect.Method;
|
||||
import javax.servlet.Filter;
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Before;
|
||||
@@ -39,12 +38,7 @@ import org.springframework.security.web.context.HttpRequestResponseHolder;
|
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
|
||||
import static org.mockito.Matchers.any;
|
||||
import static org.mockito.Matchers.same;
|
||||
import static org.powermock.api.mockito.PowerMockito.mock;
|
||||
import static org.powermock.api.mockito.PowerMockito.spy;
|
||||
import static org.powermock.api.mockito.PowerMockito.verifyStatic;
|
||||
import static org.powermock.api.mockito.PowerMockito.when;
|
||||
import static org.assertj.core.api.AssertionsForClassTypes.assertThat;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
@@ -86,17 +80,17 @@ public class SessionManagementConfigServlet31Tests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void changeSessionIdDefaultsInServlet31Plus() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
Method method = mock(Method.class);
|
||||
public void changeSessionIdThenPreserveParameters() throws Exception {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
request.getSession();
|
||||
request.setServletPath("/login");
|
||||
request.setMethod("POST");
|
||||
request.setParameter("username", "user");
|
||||
request.setParameter("password", "password");
|
||||
when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId"))
|
||||
.thenReturn(method);
|
||||
|
||||
request.getSession().setAttribute("attribute1", "value1");
|
||||
|
||||
String id = request.getSession().getId();
|
||||
|
||||
loadContext("<http>\n" + " <form-login/>\n"
|
||||
+ " <session-management/>\n" + " <csrf disabled='true'/>\n"
|
||||
@@ -104,22 +98,22 @@ public class SessionManagementConfigServlet31Tests {
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
verifyStatic(ReflectionUtils.class);
|
||||
ReflectionUtils.invokeMethod(same(method), any(HttpServletRequest.class));
|
||||
|
||||
assertThat(!request.getSession().getId().equals(id));
|
||||
assertThat(request.getSession().getAttribute("attribute1").equals("value1"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void changeSessionId() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
Method method = mock(Method.class);
|
||||
|
||||
MockHttpServletRequest request = new MockHttpServletRequest("GET", "");
|
||||
request.getSession();
|
||||
request.setServletPath("/login");
|
||||
request.setMethod("POST");
|
||||
request.setParameter("username", "user");
|
||||
request.setParameter("password", "password");
|
||||
when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId"))
|
||||
.thenReturn(method);
|
||||
|
||||
String id = request.getSession().getId();
|
||||
|
||||
loadContext("<http>\n"
|
||||
+ " <form-login/>\n"
|
||||
@@ -129,8 +123,8 @@ public class SessionManagementConfigServlet31Tests {
|
||||
|
||||
springSecurityFilterChain.doFilter(request, response, chain);
|
||||
|
||||
verifyStatic(ReflectionUtils.class);
|
||||
ReflectionUtils.invokeMethod(same(method), any(HttpServletRequest.class));
|
||||
assertThat(!request.getSession().getId().equals(id));
|
||||
|
||||
}
|
||||
|
||||
private void loadContext(String context) {
|
||||
|
||||
Reference in New Issue
Block a user