Merge branch '5.7.x' into 5.8.x

This commit is contained in:
Marcus Da Coregio
2023-04-17 07:16:47 -03:00
7 changed files with 241 additions and 13 deletions

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2016 the original author or authors.
* Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -27,12 +27,19 @@ import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.test.util.ReflectionTestUtils;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify;
/**
* @author Rob Winch
*
*/
public class SecurityContextLogoutHandlerTests {
@@ -76,4 +83,35 @@ public class SecurityContextLogoutHandlerTests {
assertThat(beforeContext.getAuthentication()).isSameAs(beforeAuthentication);
}
@Test
public void logoutWhenSecurityContextRepositoryThenSaveEmptyContext() {
SecurityContextRepository repository = mock(SecurityContextRepository.class);
this.handler.setSecurityContextRepository(repository);
this.handler.logout(this.request, this.response, SecurityContextHolder.getContext().getAuthentication());
verify(repository).saveContext(eq(SecurityContextHolder.createEmptyContext()), any(), any());
}
@Test
public void logoutWhenClearAuthenticationFalseThenSaveEmptyContext() {
SecurityContextRepository repository = mock(SecurityContextRepository.class);
this.handler.setSecurityContextRepository(repository);
this.handler.setClearAuthentication(false);
this.handler.logout(this.request, this.response, SecurityContextHolder.getContext().getAuthentication());
verify(repository).saveContext(eq(SecurityContextHolder.createEmptyContext()), any(), any());
}
@Test
public void constructorWhenDefaultSecurityContextRepositoryThenHttpSessionSecurityContextRepository() {
SecurityContextRepository securityContextRepository = (SecurityContextRepository) ReflectionTestUtils
.getField(this.handler, "securityContextRepository");
assertThat(securityContextRepository).isInstanceOf(HttpSessionSecurityContextRepository.class);
}
@Test
public void setSecurityContextRepositoryWhenNullThenException() {
assertThatExceptionOfType(IllegalArgumentException.class)
.isThrownBy(() -> this.handler.setSecurityContextRepository(null))
.withMessage("securityContextRepository cannot be null");
}
}

View File

@@ -1,5 +1,5 @@
/*
* Copyright 2002-2022 the original author or authors.
* Copyright 2002-2023 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@@ -53,6 +53,7 @@ import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.context.TransientSecurityContext;
import org.springframework.security.core.userdetails.PasswordEncodedUser;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
@@ -763,6 +764,53 @@ public class HttpSessionSecurityContextRepositoryTests {
assertThat(session).isNull();
}
@Test
public void saveContextWhenSecurityContextEmptyThenRemoveAttributeFromSession() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
SecurityContext emptyContext = SecurityContextHolder.createEmptyContext();
MockHttpSession session = (MockHttpSession) request.getSession(true);
session.setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, emptyContext);
repo.saveContext(emptyContext, request, response);
Object attributeAfterSave = session
.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
assertThat(attributeAfterSave).isNull();
}
@Test
public void saveContextWhenSecurityContextEmptyAndNoSessionThenDoesNotCreateSession() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
SecurityContext emptyContext = SecurityContextHolder.createEmptyContext();
repo.saveContext(emptyContext, request, response);
assertThat(request.getSession(false)).isNull();
}
@Test
public void saveContextWhenSecurityContextThenSaveInSession() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
SecurityContext context = createSecurityContext(PasswordEncodedUser.user());
repo.saveContext(context, request, response);
Object savedContext = request.getSession()
.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY);
assertThat(savedContext).isEqualTo(context);
}
@Test
public void saveContextWhenTransientAuthenticationThenDoNotSave() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(new SomeTransientAuthentication());
repo.saveContext(context, request, response);
assertThat(request.getSession(false)).isNull();
}
private SecurityContext createSecurityContext(UserDetails userDetails) {
UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.authenticated(userDetails,
userDetails.getPassword(), userDetails.getAuthorities());