Default Require Explicit Session Management = true

Closes gh-11763
This commit is contained in:
Rob Winch
2022-09-30 15:06:29 -05:00
parent 0d58c5180e
commit 4479cefade
20 changed files with 105 additions and 39 deletions

View File

@@ -58,7 +58,6 @@ import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
import org.springframework.security.web.header.HeaderWriterFilter;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import static org.assertj.core.api.Assertions.assertThat;
@@ -112,7 +111,6 @@ public class DefaultFiltersTests {
assertThat(classes.contains(RequestCacheAwareFilter.class)).isTrue();
assertThat(classes.contains(SecurityContextHolderAwareRequestFilter.class)).isTrue();
assertThat(classes.contains(AnonymousAuthenticationFilter.class)).isTrue();
assertThat(classes.contains(SessionManagementFilter.class)).isTrue();
assertThat(classes.contains(ExceptionTranslationFilter.class)).isTrue();
assertThat(classes.contains(FilterSecurityInterceptor.class)).isTrue();
}

View File

@@ -258,6 +258,17 @@ public class NamespaceSessionManagementTests {
@EnableWebSecurity
static class SessionManagementConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
super.configure(http);
http
.sessionManagement((sessions) -> sessions
.requireExplicitAuthenticationStrategy(false)
);
// @formatter:on
}
}
@Configuration
@@ -364,6 +375,7 @@ public class NamespaceSessionManagementTests {
// @formatter:off
http
.sessionManagement()
.requireExplicitAuthenticationStrategy(false)
.and()
.httpBasic();
// @formatter:on
@@ -379,8 +391,9 @@ public class NamespaceSessionManagementTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.sessionManagement()
.and()
.sessionManagement((sessions) -> sessions
.requireExplicitAuthenticationStrategy(false)
)
.httpBasic();
// @formatter:on
}
@@ -400,9 +413,10 @@ public class NamespaceSessionManagementTests {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.sessionManagement()
.sessionManagement((sessions) -> sessions
.sessionFixation().newSession()
.and()
.requireExplicitAuthenticationStrategy(false)
)
.httpBasic();
// @formatter:on
}

View File

@@ -451,6 +451,7 @@ public class SessionManagementConfigurerTests {
http
.sessionManagement((sessionManagement) ->
sessionManagement
.requireExplicitAuthenticationStrategy(false)
.sessionFixation((sessionFixation) ->
sessionFixation.newSession()
)
@@ -583,9 +584,12 @@ public class SessionManagementConfigurerTests {
static AuthenticationTrustResolver TR;
@Override
protected void configure(HttpSecurity http) {
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.sessionManagement((sessions) -> sessions
.requireExplicitAuthenticationStrategy(false)
)
.setSharedObject(AuthenticationTrustResolver.class, TR);
// @formatter:on
}

View File

@@ -60,6 +60,8 @@ public class DeferHttpSessionXmlConfigTests {
this.springSecurityFilterChain.doFilter(mockRequest, response, chain);
verify(mockRequest, never()).isRequestedSessionIdValid();
verify(mockRequest, never()).changeSessionId();
verify(mockRequest, never()).getSession(anyBoolean());
verify(mockRequest, never()).getSession();
}

View File

@@ -106,7 +106,6 @@ import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
import org.springframework.security.web.session.DisableEncodeUrlFilter;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.test.web.servlet.MockMvc;
import org.springframework.test.web.servlet.MvcResult;
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
@@ -479,8 +478,6 @@ public class MiscHttpConfigTests {
.andReturn();
// @formatter:on
assertThat(result.getRequest().getSession(false)).isNotNull();
verify(repository, atLeastOnce()).saveContext(any(SecurityContext.class), any(HttpServletRequest.class),
any(HttpServletResponse.class));
}
@Test
@@ -851,7 +848,6 @@ public class MiscHttpConfigTests {
assertThat(filters.next()).isInstanceOf(RequestCacheAwareFilter.class);
assertThat(filters.next()).isInstanceOf(SecurityContextHolderAwareRequestFilter.class);
assertThat(filters.next()).isInstanceOf(AnonymousAuthenticationFilter.class);
assertThat(filters.next()).isInstanceOf(SessionManagementFilter.class);
assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class);
assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class)
.hasFieldOrPropertyWithValue("observeOncePerRequest", false);