SEC-1142: Support for session timeout detection. Added redirect to invalidSessionUrl in SessionManagementFilter when an invalid session Id is supplied in the request.

This commit is contained in:
Luke Taylor
2009-08-07 17:12:12 +00:00
parent 0f6642d3ab
commit 90d76373cc
2 changed files with 44 additions and 0 deletions

View File

@@ -83,6 +83,33 @@ public class SessionManagementFilterTests {
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
verify(strategy).onAuthenticationSuccess(any(Authentication.class), any(HttpServletRequest.class), any(HttpServletResponse.class));
// Check that it is only applied once to the request
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
verifyNoMoreInteractions(strategy);
}
@Test
public void responseIsRedirectedToTimeoutUrlIfSetAndSessionIsInvalid() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext()
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRequestedSessionId("xxx");
request.setRequestedSessionIdValid(false);
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, new MockFilterChain());
assertNull(response.getRedirectedUrl());
// Now set a redirect URL
request = new MockHttpServletRequest();
request.setRequestedSessionId("xxx");
request.setRequestedSessionIdValid(false);
filter.setInvalidSessionUrl("/timedOut");
filter.doFilter(request, response, new MockFilterChain());
assertEquals("/timedOut", response.getRedirectedUrl());
}
private void authenticateUser() {