Default Require Explicit Session Management = true
Closes gh-11763
This commit is contained in:
@@ -58,7 +58,6 @@ import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
|
||||
import org.springframework.security.web.header.HeaderWriterFilter;
|
||||
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
|
||||
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
|
||||
import org.springframework.security.web.session.SessionManagementFilter;
|
||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
@@ -112,7 +111,6 @@ public class DefaultFiltersTests {
|
||||
assertThat(classes.contains(RequestCacheAwareFilter.class)).isTrue();
|
||||
assertThat(classes.contains(SecurityContextHolderAwareRequestFilter.class)).isTrue();
|
||||
assertThat(classes.contains(AnonymousAuthenticationFilter.class)).isTrue();
|
||||
assertThat(classes.contains(SessionManagementFilter.class)).isTrue();
|
||||
assertThat(classes.contains(ExceptionTranslationFilter.class)).isTrue();
|
||||
assertThat(classes.contains(FilterSecurityInterceptor.class)).isTrue();
|
||||
}
|
||||
|
||||
@@ -258,6 +258,17 @@ public class NamespaceSessionManagementTests {
|
||||
@EnableWebSecurity
|
||||
static class SessionManagementConfig extends WebSecurityConfigurerAdapter {
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
super.configure(http);
|
||||
http
|
||||
.sessionManagement((sessions) -> sessions
|
||||
.requireExplicitAuthenticationStrategy(false)
|
||||
);
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@Configuration
|
||||
@@ -364,6 +375,7 @@ public class NamespaceSessionManagementTests {
|
||||
// @formatter:off
|
||||
http
|
||||
.sessionManagement()
|
||||
.requireExplicitAuthenticationStrategy(false)
|
||||
.and()
|
||||
.httpBasic();
|
||||
// @formatter:on
|
||||
@@ -379,8 +391,9 @@ public class NamespaceSessionManagementTests {
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.sessionManagement()
|
||||
.and()
|
||||
.sessionManagement((sessions) -> sessions
|
||||
.requireExplicitAuthenticationStrategy(false)
|
||||
)
|
||||
.httpBasic();
|
||||
// @formatter:on
|
||||
}
|
||||
@@ -400,9 +413,10 @@ public class NamespaceSessionManagementTests {
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.sessionManagement()
|
||||
.sessionManagement((sessions) -> sessions
|
||||
.sessionFixation().newSession()
|
||||
.and()
|
||||
.requireExplicitAuthenticationStrategy(false)
|
||||
)
|
||||
.httpBasic();
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@@ -451,6 +451,7 @@ public class SessionManagementConfigurerTests {
|
||||
http
|
||||
.sessionManagement((sessionManagement) ->
|
||||
sessionManagement
|
||||
.requireExplicitAuthenticationStrategy(false)
|
||||
.sessionFixation((sessionFixation) ->
|
||||
sessionFixation.newSession()
|
||||
)
|
||||
@@ -583,9 +584,12 @@ public class SessionManagementConfigurerTests {
|
||||
static AuthenticationTrustResolver TR;
|
||||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) {
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
// @formatter:off
|
||||
http
|
||||
.sessionManagement((sessions) -> sessions
|
||||
.requireExplicitAuthenticationStrategy(false)
|
||||
)
|
||||
.setSharedObject(AuthenticationTrustResolver.class, TR);
|
||||
// @formatter:on
|
||||
}
|
||||
|
||||
@@ -60,6 +60,8 @@ public class DeferHttpSessionXmlConfigTests {
|
||||
|
||||
this.springSecurityFilterChain.doFilter(mockRequest, response, chain);
|
||||
|
||||
verify(mockRequest, never()).isRequestedSessionIdValid();
|
||||
verify(mockRequest, never()).changeSessionId();
|
||||
verify(mockRequest, never()).getSession(anyBoolean());
|
||||
verify(mockRequest, never()).getSession();
|
||||
}
|
||||
|
||||
@@ -106,7 +106,6 @@ import org.springframework.security.web.savedrequest.RequestCache;
|
||||
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
|
||||
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
|
||||
import org.springframework.security.web.session.DisableEncodeUrlFilter;
|
||||
import org.springframework.security.web.session.SessionManagementFilter;
|
||||
import org.springframework.test.web.servlet.MockMvc;
|
||||
import org.springframework.test.web.servlet.MvcResult;
|
||||
import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
|
||||
@@ -479,8 +478,6 @@ public class MiscHttpConfigTests {
|
||||
.andReturn();
|
||||
// @formatter:on
|
||||
assertThat(result.getRequest().getSession(false)).isNotNull();
|
||||
verify(repository, atLeastOnce()).saveContext(any(SecurityContext.class), any(HttpServletRequest.class),
|
||||
any(HttpServletResponse.class));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -851,7 +848,6 @@ public class MiscHttpConfigTests {
|
||||
assertThat(filters.next()).isInstanceOf(RequestCacheAwareFilter.class);
|
||||
assertThat(filters.next()).isInstanceOf(SecurityContextHolderAwareRequestFilter.class);
|
||||
assertThat(filters.next()).isInstanceOf(AnonymousAuthenticationFilter.class);
|
||||
assertThat(filters.next()).isInstanceOf(SessionManagementFilter.class);
|
||||
assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class);
|
||||
assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class)
|
||||
.hasFieldOrPropertyWithValue("observeOncePerRequest", false);
|
||||
|
||||
Reference in New Issue
Block a user