SEC-1142: Support for session timeout detection. Added namespace support for invalid-session-url
This commit is contained in:
@@ -737,7 +737,7 @@ public class HttpSecurityBeanDefinitionParserTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void disablingSessionProtectionRemovesFilter() throws Exception {
|
||||
public void disablingSessionProtectionRemovesSessionManagementFilterIfNoInvalidSessionUrlSet() throws Exception {
|
||||
setContext(
|
||||
"<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
|
||||
List<Filter> filters = getFilters("/someurl");
|
||||
@@ -745,6 +745,17 @@ public class HttpSecurityBeanDefinitionParserTests {
|
||||
assertFalse(filters.get(9) instanceof SessionManagementFilter);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void disablingSessionProtectionRetainsSessionManagementFilterInvalidSessionUrlSet() throws Exception {
|
||||
setContext(
|
||||
"<http auto-config='true' session-fixation-protection='none'" +
|
||||
" invalid-session-url='/timeoutUrl' />" + AUTH_PROVIDER_XML);
|
||||
List<Filter> filters = getFilters("/someurl");
|
||||
Object filter = filters.get(9);
|
||||
assertTrue(filter instanceof SessionManagementFilter);
|
||||
assertEquals("/timeoutUrl", FieldUtils.getProtectedFieldValue("invalidSessionUrl", filter));
|
||||
}
|
||||
|
||||
/**
|
||||
* See SEC-750. If the http security post processor causes beans to be instantiated too eagerly, they way miss
|
||||
* additional processing. In this method we have a UserDetailsService which is referenced from the namespace
|
||||
|
||||
Reference in New Issue
Block a user