SEC-1142: Support for session timeout detection. Added namespace support for invalid-session-url

This commit is contained in:
Luke Taylor
2009-08-07 23:57:10 +00:00
parent c12e5b4d0b
commit 229866e293
4 changed files with 1729 additions and 1673 deletions

View File

@@ -737,7 +737,7 @@ public class HttpSecurityBeanDefinitionParserTests {
}
@Test
public void disablingSessionProtectionRemovesFilter() throws Exception {
public void disablingSessionProtectionRemovesSessionManagementFilterIfNoInvalidSessionUrlSet() throws Exception {
setContext(
"<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
List<Filter> filters = getFilters("/someurl");
@@ -745,6 +745,17 @@ public class HttpSecurityBeanDefinitionParserTests {
assertFalse(filters.get(9) instanceof SessionManagementFilter);
}
@Test
public void disablingSessionProtectionRetainsSessionManagementFilterInvalidSessionUrlSet() throws Exception {
setContext(
"<http auto-config='true' session-fixation-protection='none'" +
" invalid-session-url='/timeoutUrl' />" + AUTH_PROVIDER_XML);
List<Filter> filters = getFilters("/someurl");
Object filter = filters.get(9);
assertTrue(filter instanceof SessionManagementFilter);
assertEquals("/timeoutUrl", FieldUtils.getProtectedFieldValue("invalidSessionUrl", filter));
}
/**
* See SEC-750. If the http security post processor causes beans to be instantiated too eagerly, they way miss
* additional processing. In this method we have a UserDetailsService which is referenced from the namespace