Address SessionLimitStrategy
Closes gh-16206
This commit is contained in:
committed by
Josh Cummings
parent
6bc6946ad9
commit
1864577e98
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -64,6 +64,7 @@ import org.springframework.security.web.context.SecurityContextRepository;
|
||||
import org.springframework.security.web.savedrequest.RequestCache;
|
||||
import org.springframework.security.web.session.ConcurrentSessionFilter;
|
||||
import org.springframework.security.web.session.HttpSessionDestroyedEvent;
|
||||
import org.springframework.security.web.session.SessionLimit;
|
||||
import org.springframework.security.web.session.SessionManagementFilter;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.MvcResult;
|
||||
@@ -249,6 +250,82 @@ public class SessionManagementConfigurerTests {
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loginWhenAdminUserLoggedInAndSessionLimitIsConfiguredThenLoginSuccessfully() throws Exception {
|
||||
this.spring.register(ConcurrencyControlWithSessionLimitConfig.class).autowire();
|
||||
// @formatter:off
|
||||
MockHttpServletRequestBuilder requestBuilder = post("/login")
|
||||
.with(csrf())
|
||||
.param("username", "admin")
|
||||
.param("password", "password");
|
||||
HttpSession firstSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
assertThat(firstSession).isNotNull();
|
||||
HttpSession secondSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
assertThat(secondSession).isNotNull();
|
||||
// @formatter:on
|
||||
assertThat(firstSession.getId()).isNotEqualTo(secondSession.getId());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loginWhenAdminUserLoggedInAndSessionLimitIsConfiguredThenLoginPrevented() throws Exception {
|
||||
this.spring.register(ConcurrencyControlWithSessionLimitConfig.class).autowire();
|
||||
// @formatter:off
|
||||
MockHttpServletRequestBuilder requestBuilder = post("/login")
|
||||
.with(csrf())
|
||||
.param("username", "admin")
|
||||
.param("password", "password");
|
||||
HttpSession firstSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
assertThat(firstSession).isNotNull();
|
||||
HttpSession secondSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
assertThat(secondSession).isNotNull();
|
||||
assertThat(firstSession.getId()).isNotEqualTo(secondSession.getId());
|
||||
this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().isFound())
|
||||
.andExpect(redirectedUrl("/login?error"));
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void loginWhenUserLoggedInAndSessionLimitIsConfiguredThenLoginPrevented() throws Exception {
|
||||
this.spring.register(ConcurrencyControlWithSessionLimitConfig.class).autowire();
|
||||
// @formatter:off
|
||||
MockHttpServletRequestBuilder requestBuilder = post("/login")
|
||||
.with(csrf())
|
||||
.param("username", "user")
|
||||
.param("password", "password");
|
||||
HttpSession firstSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
assertThat(firstSession).isNotNull();
|
||||
this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().isFound())
|
||||
.andExpect(redirectedUrl("/login?error"));
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenSessionCreationPolicyStateLessInLambdaThenNoSessionCreated() throws Exception {
|
||||
this.spring.register(SessionCreationPolicyStateLessInLambdaConfig.class).autowire();
|
||||
@@ -625,6 +702,42 @@ public class SessionManagementConfigurerTests {
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
static class ConcurrencyControlWithSessionLimitConfig {
|
||||
|
||||
@Bean
|
||||
SecurityFilterChain filterChain(HttpSecurity http, SessionLimit sessionLimit) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.formLogin(withDefaults())
|
||||
.sessionManagement((sessionManagement) -> sessionManagement
|
||||
.sessionConcurrency((sessionConcurrency) -> sessionConcurrency
|
||||
.maximumSessions(sessionLimit)
|
||||
.maxSessionsPreventsLogin(true)
|
||||
)
|
||||
);
|
||||
// @formatter:on
|
||||
return http.build();
|
||||
}
|
||||
|
||||
@Bean
|
||||
UserDetailsService userDetailsService() {
|
||||
return new InMemoryUserDetailsManager(PasswordEncodedUser.admin(), PasswordEncodedUser.user());
|
||||
}
|
||||
|
||||
@Bean
|
||||
SessionLimit SessionLimit() {
|
||||
return (authentication) -> {
|
||||
if ("admin".equals(authentication.getName())) {
|
||||
return 2;
|
||||
}
|
||||
return 1;
|
||||
};
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@EnableWebSecurity
|
||||
static class SessionCreationPolicyStateLessInLambdaConfig {
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2022 the original author or authors.
|
||||
* Copyright 2002-2024 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -24,6 +24,7 @@ import java.util.Map;
|
||||
import java.util.Set;
|
||||
|
||||
import com.google.common.collect.ImmutableMap;
|
||||
import jakarta.servlet.http.HttpSession;
|
||||
import org.junit.jupiter.api.Test;
|
||||
import org.junit.jupiter.api.extension.ExtendWith;
|
||||
|
||||
@@ -33,14 +34,21 @@ import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
|
||||
import org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException;
|
||||
import org.springframework.security.config.test.SpringTestContext;
|
||||
import org.springframework.security.config.test.SpringTestContextExtension;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.web.session.SessionLimit;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.ResultMatcher;
|
||||
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RestController;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
|
||||
import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
|
||||
import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
|
||||
|
||||
/**
|
||||
@@ -49,6 +57,7 @@ import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.
|
||||
* @author Josh Cummings
|
||||
* @author Rafiullah Hamedy
|
||||
* @author Marcus Da Coregio
|
||||
* @author Claudenir Freitas
|
||||
*/
|
||||
@ExtendWith(SpringTestContextExtension.class)
|
||||
public class HttpHeadersConfigTests {
|
||||
@@ -782,6 +791,120 @@ public class HttpHeadersConfigTests {
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenSessionManagementConcurrencyControlMaxSessionIsOne() throws Exception {
|
||||
System.setProperty("security.session-management.concurrency-control.max-sessions", "1");
|
||||
this.spring.configLocations(this.xml("DefaultsSessionManagementConcurrencyControlMaxSessions")).autowire();
|
||||
// @formatter:off
|
||||
MockHttpServletRequestBuilder requestBuilder = post("/login")
|
||||
.with(csrf())
|
||||
.param("username", "user")
|
||||
.param("password", "password");
|
||||
HttpSession firstSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
// @formatter:on
|
||||
assertThat(firstSession).isNotNull();
|
||||
// @formatter:off
|
||||
this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().isFound())
|
||||
.andExpect(redirectedUrl("/login?error"));
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenSessionManagementConcurrencyControlMaxSessionIsUnlimited() throws Exception {
|
||||
System.setProperty("security.session-management.concurrency-control.max-sessions", "-1");
|
||||
this.spring.configLocations(this.xml("DefaultsSessionManagementConcurrencyControlMaxSessions")).autowire();
|
||||
// @formatter:off
|
||||
MockHttpServletRequestBuilder requestBuilder = post("/login")
|
||||
.with(csrf())
|
||||
.param("username", "user")
|
||||
.param("password", "password");
|
||||
HttpSession firstSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
assertThat(firstSession).isNotNull();
|
||||
HttpSession secondSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
assertThat(secondSession).isNotNull();
|
||||
// @formatter:on
|
||||
assertThat(firstSession.getId()).isNotEqualTo(secondSession.getId());
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenSessionManagementConcurrencyControlMaxSessionRefIsOneForNonAdminUsers() throws Exception {
|
||||
this.spring.configLocations(this.xml("DefaultsSessionManagementConcurrencyControlMaxSessionsRef")).autowire();
|
||||
// @formatter:off
|
||||
MockHttpServletRequestBuilder requestBuilder = post("/login")
|
||||
.with(csrf())
|
||||
.param("username", "user")
|
||||
.param("password", "password");
|
||||
HttpSession firstSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
// @formatter:on
|
||||
assertThat(firstSession).isNotNull();
|
||||
// @formatter:off
|
||||
this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().isFound())
|
||||
.andExpect(redirectedUrl("/login?error"));
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenSessionManagementConcurrencyControlMaxSessionRefIsTwoForAdminUsers() throws Exception {
|
||||
this.spring.configLocations(this.xml("DefaultsSessionManagementConcurrencyControlMaxSessionsRef")).autowire();
|
||||
// @formatter:off
|
||||
MockHttpServletRequestBuilder requestBuilder = post("/login")
|
||||
.with(csrf())
|
||||
.param("username", "admin")
|
||||
.param("password", "password");
|
||||
HttpSession firstSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
assertThat(firstSession).isNotNull();
|
||||
HttpSession secondSession = this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().is3xxRedirection())
|
||||
.andExpect(redirectedUrl("/"))
|
||||
.andReturn()
|
||||
.getRequest()
|
||||
.getSession(false);
|
||||
assertThat(secondSession).isNotNull();
|
||||
// @formatter:on
|
||||
assertThat(firstSession.getId()).isNotEqualTo(secondSession.getId());
|
||||
// @formatter:off
|
||||
this.mvc.perform(requestBuilder)
|
||||
.andExpect(status().isFound())
|
||||
.andExpect(redirectedUrl("/login?error"));
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@Test
|
||||
public void requestWhenSessionManagementConcurrencyControlWithInvalidMaxSessionConfig() {
|
||||
assertThatExceptionOfType(BeanDefinitionParsingException.class)
|
||||
.isThrownBy(() -> this.spring
|
||||
.configLocations(this.xml("DefaultsSessionManagementConcurrencyControlWithInvalidMaxSessionsConfig"))
|
||||
.autowire())
|
||||
.withMessageContaining("Cannot use 'max-sessions' attribute and 'max-sessions-ref' attribute together.");
|
||||
}
|
||||
|
||||
private static ResultMatcher includesDefaults() {
|
||||
return includes(defaultHeaders);
|
||||
}
|
||||
@@ -832,4 +955,16 @@ public class HttpHeadersConfigTests {
|
||||
|
||||
}
|
||||
|
||||
public static class CustomSessionLimit implements SessionLimit {
|
||||
|
||||
@Override
|
||||
public Integer apply(Authentication authentication) {
|
||||
if ("admin".equals(authentication.getName())) {
|
||||
return 2;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user