SEC-1315: Modify HttpSessionSecurityContextRepository to check for anonymous token before creating a session. Moved the anonymity check to be before the session creation.

This commit is contained in:
Luke Taylor
2009-12-06 15:28:03 +00:00
parent aee6b8f3f9
commit b27d7afd24
2 changed files with 28 additions and 12 deletions

View File

@@ -5,8 +5,10 @@ import static org.junit.Assert.*;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.context.HttpRequestResponseHolder;
@@ -146,6 +148,20 @@ public class HttpSessionSecurityContextRepositoryTests {
assertNull(request.getSession(false));
}
// SEC-1315
@Test
public void noSessionIsCreatedIfAnonymousTokenIsUsed() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContextHolder.setContext(repo.loadContext(holder));
SecurityContextHolder.getContext().setAuthentication(
new AnonymousAuthenticationToken("key", "anon", AuthorityUtils.createAuthorityList("ANON")));
repo.saveContext(SecurityContextHolder.getContext(), holder.getRequest(), holder.getResponse());
assertNull(request.getSession(false));
}
@Test
@Deprecated
public void settingCloneFromContextLoadsClonedContextObject() throws Exception {