SEC-1211: Create strategy for session handling on successful authentication. Added AuthenticatedSessionStrategy interface and default implementation which encapsulates the functionality that was previously in SessionFixationProtectionFilter and AbstractAuthentictationProcessingFilter. Updated the namespace to make use of these.

This commit is contained in:
Luke Taylor
2009-07-28 18:00:24 +00:00
parent 4a12b80470
commit db90122179
12 changed files with 372 additions and 194 deletions

View File

@@ -50,6 +50,7 @@ import org.springframework.security.web.authentication.SavedRequestAwareAuthenti
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.security.web.session.AuthenticatedSessionStrategy;
/**
@@ -239,6 +240,7 @@ public class AbstractProcessingFilterTests extends TestCase {
MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(true);
filter.setFilterProcessesUrl("/j_mock_post");
filter.setAuthenticatedSessionStrategy(mock(AuthenticatedSessionStrategy.class));
filter.setAuthenticationSuccessHandler(successHandler);
filter.setAuthenticationFailureHandler(failureHandler);
filter.setAuthenticationManager(mock(AuthenticationManager.class));
@@ -390,48 +392,6 @@ public class AbstractProcessingFilterTests extends TestCase {
assertNotNull(SecurityContextHolder.getContext().getAuthentication());
}
public void testNewSessionIsCreatedIfInvalidateSessionOnSuccessfulAuthenticationIsSet() throws Exception {
MockHttpServletRequest request = createMockRequest();
HttpSession oldSession = request.getSession();
oldSession.setAttribute("test","test");
MockFilterConfig config = new MockFilterConfig(null, null);
MockFilterChain chain = new MockFilterChain(true);
MockHttpServletResponse response = new MockHttpServletResponse();
// Setup our test object, to grant access
MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(true);
filter.setInvalidateSessionOnSuccessfulAuthentication(true);
successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/");
filter.setAuthenticationSuccessHandler(successHandler);
executeFilterInContainerSimulator(config, filter, request, response, chain);
HttpSession newSession = request.getSession();
assertFalse(newSession.getId().equals(oldSession.getId()));
assertEquals("test", newSession.getAttribute("test"));
}
public void testAttributesAreNotMigratedToNewlyCreatedSessionIfMigrateAttributesIsFalse() throws Exception {
MockHttpServletRequest request = createMockRequest();
HttpSession oldSession = request.getSession();
MockFilterConfig config = new MockFilterConfig(null, null);
MockFilterChain chain = new MockFilterChain(true);
MockHttpServletResponse response = new MockHttpServletResponse();
MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(true);
filter.setInvalidateSessionOnSuccessfulAuthentication(true);
filter.setMigrateInvalidatedSessionAttributes(false);
successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/");
filter.setAuthenticationSuccessHandler(successHandler);
executeFilterInContainerSimulator(config, filter, request, response, chain);
HttpSession newSession = request.getSession();
assertFalse(newSession.getId().equals(oldSession.getId()));
assertNull(newSession.getAttribute("test"));
}
/**
* SEC-571
*/

View File

@@ -0,0 +1,41 @@
package org.springframework.security.web.session;
import static org.junit.Assert.*;
import static org.mockito.Mockito.mock;
import javax.servlet.http.HttpServletRequest;
import org.junit.Test;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.core.Authentication;
/**
*
* @author Luke Taylor
* @version $Id$
*/
public class DefaultAuthenticatedSessionStrategyTests {
@Test
public void newSessionShouldNotBeCreatedIfNoSessionExistsAndAlwaysCreateIsFalse() throws Exception {
DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
HttpServletRequest request = new MockHttpServletRequest();
strategy.onAuthenticationSuccess(mock(Authentication.class), request, new MockHttpServletResponse());
assertNull(request.getSession(false));
}
@Test
public void newSessionIsCreatedIfSessionAlreadyExists() throws Exception {
DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId();
strategy.onAuthenticationSuccess(mock(Authentication.class), request, new MockHttpServletResponse());
assertFalse(sessionId.equals(request.getSession().getId()));
}
}

View File

@@ -1,8 +1,11 @@
package org.springframework.security.web.session;
import static org.junit.Assert.*;
import static org.mockito.Matchers.any;
import static org.mockito.Mockito.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.junit.After;
import org.junit.Test;
@@ -10,9 +13,9 @@ import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.session.SessionFixationProtectionFilter;
import org.springframework.security.web.context.SecurityContextRepository;
/**
*
@@ -26,32 +29,10 @@ public class SessionFixationProtectionFilterTests {
SecurityContextHolder.clearContext();
}
@Test
public void newSessionShouldNotBeCreatedIfNoSessionExists() throws Exception {
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
HttpServletRequest request = new MockHttpServletRequest();
authenticateUser();
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
assertNull(request.getSession(false));
}
@Test
public void newSessionBeCreatedIfAuthenticatedOccurredDuringRequest() throws Exception {
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId();
authenticateUser();
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
assertFalse(sessionId.equals(request.getSession().getId()));
}
@Test
public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception {
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
SecurityContextRepository repo = mock(SecurityContextRepository.class);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId();
@@ -61,17 +42,47 @@ public class SessionFixationProtectionFilterTests {
}
@Test
public void newSessionShouldNotBeCreatedIfUserIsAlreadyAuthenticated() throws Exception {
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
public void strategyIsNotInvokedIfSecurityContextAlreadyExistsForRequest() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
// mock that repo contains a security context
when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId();
authenticateUser();
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
SecurityContextHolder.getContext());
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
assertEquals(sessionId, request.getSession().getId());
verifyZeroInteractions(strategy);
}
@Test
public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest();
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
verifyZeroInteractions(strategy);
}
@Test
public void strategyIsInvokedIfUserIsNewlyAuthenticated() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext()
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest();
authenticateUser();
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
verify(strategy).onAuthenticationSuccess(any(Authentication.class), any(HttpServletRequest.class), any(HttpServletResponse.class));
}
private void authenticateUser() {