Transient Authentication Tokens
This commit introduces support for transient authentication tokens which indicate to the filter chain, specifically the HttpSessionSecurityContextRepository, whether or not the token ought to be persisted across requests. To leverage this, simply annotate any Authentication implementation with @TransientAuthentication, extend from an Authentication that uses this annotation, or annotate a custom annotation. Implementations of SecurityContextRepository may choose to not persist tokens that are marked with @TransientAuthentication in the same way that HttpSessionSecurityContextRepository does. Fixes: gh-5481
This commit is contained in:
@@ -0,0 +1,123 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.config.annotation.web.configurers;
|
||||
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.authentication.AbstractAuthenticationToken;
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
|
||||
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
|
||||
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
|
||||
import org.springframework.security.config.http.SessionCreationPolicy;
|
||||
import org.springframework.security.config.test.SpringTestRule;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.core.TransientAuthentication;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.MvcResult;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||
|
||||
/**
|
||||
* @author Josh Cummings
|
||||
*/
|
||||
public class SessionManagementConfigurerTransientAuthenticationTests {
|
||||
|
||||
@Autowired
|
||||
MockMvc mvc;
|
||||
|
||||
@Rule
|
||||
public final SpringTestRule spring = new SpringTestRule();
|
||||
|
||||
@Test
|
||||
public void postWhenTransientAuthenticationThenNoSessionCreated()
|
||||
throws Exception {
|
||||
|
||||
this.spring.register(WithTransientAuthenticationConfig.class).autowire();
|
||||
MvcResult result = this.mvc.perform(post("/login")).andReturn();
|
||||
assertThat(result.getRequest().getSession(false)).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void postWhenTransientAuthenticationThenAlwaysSessionOverrides()
|
||||
throws Exception {
|
||||
|
||||
this.spring.register(AlwaysCreateSessionConfig.class).autowire();
|
||||
MvcResult result = this.mvc.perform(post("/login")).andReturn();
|
||||
assertThat(result.getRequest().getSession(false)).isNotNull();
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
static class WithTransientAuthenticationConfig extends WebSecurityConfigurerAdapter {
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
super.configure(http);
|
||||
|
||||
http
|
||||
.csrf().disable();
|
||||
}
|
||||
|
||||
@Override
|
||||
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||
auth
|
||||
.authenticationProvider(new TransientAuthenticationProvider());
|
||||
}
|
||||
}
|
||||
|
||||
@EnableWebSecurity
|
||||
static class AlwaysCreateSessionConfig extends WithTransientAuthenticationConfig {
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http
|
||||
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
|
||||
}
|
||||
}
|
||||
|
||||
static class TransientAuthenticationProvider implements AuthenticationProvider {
|
||||
|
||||
@Override
|
||||
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
|
||||
return new SomeTransientAuthentication();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean supports(Class<?> authentication) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
@TransientAuthentication
|
||||
static class SomeTransientAuthentication extends AbstractAuthenticationToken {
|
||||
SomeTransientAuthentication() {
|
||||
super(null);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getCredentials() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getPrincipal() {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,98 @@
|
||||
/*
|
||||
* Copyright 2002-2018 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.security.config.http;
|
||||
|
||||
import org.junit.Rule;
|
||||
import org.junit.Test;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.security.authentication.AbstractAuthenticationToken;
|
||||
import org.springframework.security.authentication.AuthenticationProvider;
|
||||
import org.springframework.security.config.test.SpringTestRule;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.AuthenticationException;
|
||||
import org.springframework.security.core.TransientAuthentication;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.MvcResult;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
|
||||
|
||||
/**
|
||||
* @author Josh Cummings
|
||||
*/
|
||||
public class SessionManagementConfigTransientAuthenticationTests {
|
||||
private static final String CONFIG_LOCATION_PREFIX =
|
||||
"classpath:org/springframework/security/config/http/SessionManagementConfigTransientAuthenticationTests";
|
||||
|
||||
@Autowired
|
||||
MockMvc mvc;
|
||||
|
||||
@Rule
|
||||
public final SpringTestRule spring = new SpringTestRule();
|
||||
|
||||
@Test
|
||||
public void postWhenTransientAuthenticationThenNoSessionCreated()
|
||||
throws Exception {
|
||||
|
||||
this.spring.configLocations(this.xml("WithTransientAuthentication")).autowire();
|
||||
MvcResult result = this.mvc.perform(post("/login")).andReturn();
|
||||
assertThat(result.getRequest().getSession(false)).isNull();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void postWhenTransientAuthenticationThenAlwaysSessionOverrides()
|
||||
throws Exception {
|
||||
|
||||
this.spring.configLocations(this.xml("CreateSessionAlwaysWithTransientAuthentication")).autowire();
|
||||
MvcResult result = this.mvc.perform(post("/login")).andReturn();
|
||||
assertThat(result.getRequest().getSession(false)).isNotNull();
|
||||
}
|
||||
|
||||
static class TransientAuthenticationProvider implements AuthenticationProvider {
|
||||
|
||||
@Override
|
||||
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
|
||||
return new SomeTransientAuthentication();
|
||||
}
|
||||
|
||||
@Override
|
||||
public boolean supports(Class<?> authentication) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
|
||||
@TransientAuthentication
|
||||
static class SomeTransientAuthentication extends AbstractAuthenticationToken {
|
||||
SomeTransientAuthentication() {
|
||||
super(null);
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getCredentials() {
|
||||
return null;
|
||||
}
|
||||
|
||||
@Override
|
||||
public Object getPrincipal() {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
private String xml(String configName) {
|
||||
return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user