Remove Servlet 2.5 Support for Session Fixation
This commit removes existence validation of a method only available in Servlet 3.1. Spring Framework baseline is Servlet 3.1 so is not longer required. Fixes: gh-6259
This commit is contained in:
committed by
Josh Cummings
parent
4123d96cd5
commit
086b105273
@@ -15,55 +15,26 @@
|
||||
*/
|
||||
package org.springframework.security.web.authentication.session;
|
||||
|
||||
import static org.mockito.Matchers.*;
|
||||
import static org.powermock.api.mockito.PowerMockito.*;
|
||||
|
||||
import java.lang.reflect.Method;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.junit.Assert;
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
import org.mockito.Mock;
|
||||
import org.powermock.core.classloader.annotations.PrepareForTest;
|
||||
import org.powermock.modules.junit4.PowerMockRunner;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.util.ReflectionUtils;
|
||||
|
||||
/**
|
||||
* @author Rob Winch
|
||||
*
|
||||
*/
|
||||
@RunWith(PowerMockRunner.class)
|
||||
@PrepareForTest({ ReflectionUtils.class, Method.class })
|
||||
public class ChangeSessionIdAuthenticationStrategyTests {
|
||||
@Mock
|
||||
private Method method;
|
||||
|
||||
@Test(expected = IllegalStateException.class)
|
||||
public void constructChangeIdMethodNotFound() {
|
||||
spy(ReflectionUtils.class);
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.getSession();
|
||||
when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId"))
|
||||
.thenReturn(null);
|
||||
|
||||
new ChangeSessionIdAuthenticationStrategy();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void applySessionFixation() throws Exception {
|
||||
spy(ReflectionUtils.class);
|
||||
Method method = mock(Method.class);
|
||||
public void applySessionFixation() {
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.getSession();
|
||||
when(ReflectionUtils.findMethod(HttpServletRequest.class, "changeSessionId"))
|
||||
.thenReturn(method);
|
||||
String id = request.getSession().getId();
|
||||
|
||||
new ChangeSessionIdAuthenticationStrategy().applySessionFixation(request);
|
||||
new ChangeSessionIdAuthenticationStrategy().applySessionFixation(request);
|
||||
|
||||
verifyStatic(ReflectionUtils.class);
|
||||
ReflectionUtils.invokeMethod(same(method), eq(request));
|
||||
Assert.assertNotEquals(id, request.getSession().getId());
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user