Remove Servlet 2.5 Support for Session Fixation

This commit removes existence validation of a method only available in Servlet 3.1.
Spring Framework baseline is Servlet 3.1 so is not longer required.

Fixes: gh-6259
This commit is contained in:
Rafael Dominguez
2018-12-17 13:03:18 -06:00
committed by Josh Cummings
parent 4123d96cd5
commit 086b105273
7 changed files with 32 additions and 107 deletions

View File

@@ -15,55 +15,26 @@
*/
package org.springframework.security.web.authentication.session;
import static org.mockito.Matchers.*;
import static org.powermock.api.mockito.PowerMockito.*;
import java.lang.reflect.Method;
import javax.servlet.http.HttpServletRequest;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.powermock.core.classloader.annotations.PrepareForTest;
import org.powermock.modules.junit4.PowerMockRunner;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.util.ReflectionUtils;
/**
* @author Rob Winch
*
*/
@RunWith(PowerMockRunner.class)
@PrepareForTest({ ReflectionUtils.class, Method.class })
public class ChangeSessionIdAuthenticationStrategyTests {
@Mock
private Method method;
@Test(expected = IllegalStateException.class)
public void constructChangeIdMethodNotFound() {
spy(ReflectionUtils.class);
MockHttpServletRequest request = new MockHttpServletRequest();
request.getSession();
when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId"))
.thenReturn(null);
new ChangeSessionIdAuthenticationStrategy();
}
@Test
public void applySessionFixation() throws Exception {
spy(ReflectionUtils.class);
Method method = mock(Method.class);
public void applySessionFixation() {
MockHttpServletRequest request = new MockHttpServletRequest();
request.getSession();
when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId"))
.thenReturn(method);
String id = request.getSession().getId();
new ChangeSessionIdAuthenticationStrategy().applySessionFixation(request);
new ChangeSessionIdAuthenticationStrategy().applySessionFixation(request);
verifyStatic(ReflectionUtils.class);
ReflectionUtils.invokeMethod(same(method), eq(request));
Assert.assertNotEquals(id, request.getSession().getId());
}
}