SEC-3070: Logout invalidate-session=false and Spring Session doesn't
work
This commit is contained in:
@@ -501,6 +501,24 @@ public class HttpSessionSecurityContextRepositoryTests {
|
||||
request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
|
||||
}
|
||||
|
||||
// SEC-3070
|
||||
@Test
|
||||
public void logoutInvalidateSessionFalseFails() throws Exception {
|
||||
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
SecurityContext ctxInSession = SecurityContextHolder.createEmptyContext();
|
||||
ctxInSession.setAuthentication(testToken);
|
||||
request.getSession().setAttribute(SPRING_SECURITY_CONTEXT_KEY, ctxInSession);
|
||||
|
||||
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
|
||||
repo.loadContext(holder);
|
||||
|
||||
ctxInSession.setAuthentication(null);
|
||||
repo.saveContext(ctxInSession, holder.getRequest(), holder.getResponse());
|
||||
|
||||
assertNull(request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));
|
||||
}
|
||||
|
||||
@Test
|
||||
@SuppressWarnings("deprecation")
|
||||
public void sessionDisableUrlRewritingPreventsSessionIdBeingWrittenToUrl()
|
||||
@@ -600,4 +618,4 @@ public class HttpSessionSecurityContextRepositoryTests {
|
||||
|
||||
repo.saveContext(context, request, response);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user