diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java index eab586e9aa..271b857a9a 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java +++ b/web/src/main/java/org/springframework/security/web/authentication/session/SessionFixationProtectionStrategy.java @@ -214,7 +214,16 @@ public class SessionFixationProtectionStrategy implements SessionAuthenticationS return attributesToMigrate; } + /** + * Sets the {@link ApplicationEventPublisher} to use for submitting + * {@link SessionFixationProtectionEvent}. The default is to not submit the + * {@link SessionFixationProtectionEvent}. + * + * @param applicationEventPublisher + * the {@link ApplicationEventPublisher}. Cannot be null. + */ public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) { + Assert.notNull(applicationEventPublisher, "applicationEventPublisher cannot be null"); this.applicationEventPublisher = applicationEventPublisher; } diff --git a/web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategyTests.java b/web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategyTests.java index 2949d25c5a..ac591513d1 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategyTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategyTests.java @@ -103,4 +103,14 @@ public class ConcurrentSessionControlStrategyTests { assertEquals(request.getSession().getId(), event.getNewSessionId()); assertSame(authentication, event.getAuthentication()); } + + @Test(expected=IllegalArgumentException.class) + public void setApplicationEventPublisherForbidsNulls() { + strategy.setApplicationEventPublisher(null); + } + + @Test + public void onAuthenticationNoExceptionWhenRequireApplicationEventPublisherSet() { + strategy.onAuthentication(authentication, request, response); + } }