SEC-3070: Logout invalidate-session=false and Spring Session doesn't

work
This commit is contained in:
Rob Winch
2015-10-20 14:58:57 -05:00
parent 3925ed90c4
commit cda6532c43
2 changed files with 20 additions and 2 deletions

View File

@@ -501,6 +501,24 @@ public class HttpSessionSecurityContextRepositoryTests {
request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
}
// SEC-3070
@Test
public void logoutInvalidateSessionFalseFails() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
ctxInSession.setAuthentication(testToken);
request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
repo.loadContext(holder);
ctxInSession.setAuthentication(null);
repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse());
assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
}
@Test
@SuppressWarnings("deprecation")
public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl()
@@ -600,4 +618,4 @@ public class HttpSessionSecurityContextRepositoryTests {
repo.saveContext(context, request, response);
}
}
}