SEC-1587: Add explicit call to removeAttribute() to remove the context from the session if the current context is empty or anonymous.

Allows for the situation where a user is logged out without invalidating the session.
This commit is contained in:
Luke Taylor
2010-11-09 13:55:45 +00:00
parent 7754882ba9
commit 8b51c2c97d
2 changed files with 41 additions and 6 deletions

View File

@@ -170,6 +170,35 @@ public class HttpSessionSecurityContextRepositoryTests {
assertNull(request.getSession(false));
}
// SEC-1587
@Test
public void contextIsRemovedFromSessionIfCurrentContextIsAnonymous() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
ctxInSession.setAuthentication(testToken);
request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
repo.loadContext(holder);
SecurityContextHolder.getContext().setAuthentication(new AnonymousAuthenticationToken("x","x", testToken.getAuthorities()));
repo.saveContext(SecurityContextHolder.getContext(), holder.getRequest(), holder.getResponse());
assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
}
@Test
public void contextIsRemovedFromSessionIfCurrentContextIsEmpty() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
ctxInSession.setAuthentication(testToken);
request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
repo.loadContext(holder);
// Save an empty context
repo.saveContext(SecurityContextHolder.getContext(), holder.getRequest(), holder.getResponse());
assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
}
@Test
@SuppressWarnings("deprecation")
public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl() throws Exception {