SEC-1211: Create strategy for session handling on successful authentication. Added AuthenticatedSessionStrategy interface and default implementation which encapsulates the functionality that was previously in SessionFixationProtectionFilter and AbstractAuthentictationProcessingFilter. Updated the namespace to make use of these.
This commit is contained in:
@@ -50,6 +50,7 @@ import org.springframework.security.web.authentication.SavedRequestAwareAuthenti
|
||||
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
|
||||
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
|
||||
import org.springframework.security.web.savedrequest.SavedRequest;
|
||||
import org.springframework.security.web.session.AuthenticatedSessionStrategy;
|
||||
|
||||
|
||||
/**
|
||||
@@ -239,6 +240,7 @@ public class AbstractProcessingFilterTests extends TestCase {
|
||||
MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(true);
|
||||
|
||||
filter.setFilterProcessesUrl("/j_mock_post");
|
||||
filter.setAuthenticatedSessionStrategy(mock(AuthenticatedSessionStrategy.class));
|
||||
filter.setAuthenticationSuccessHandler(successHandler);
|
||||
filter.setAuthenticationFailureHandler(failureHandler);
|
||||
filter.setAuthenticationManager(mock(AuthenticationManager.class));
|
||||
@@ -390,48 +392,6 @@ public class AbstractProcessingFilterTests extends TestCase {
|
||||
assertNotNull(SecurityContextHolder.getContext().getAuthentication());
|
||||
}
|
||||
|
||||
public void testNewSessionIsCreatedIfInvalidateSessionOnSuccessfulAuthenticationIsSet() throws Exception {
|
||||
MockHttpServletRequest request = createMockRequest();
|
||||
HttpSession oldSession = request.getSession();
|
||||
oldSession.setAttribute("test","test");
|
||||
MockFilterConfig config = new MockFilterConfig(null, null);
|
||||
|
||||
MockFilterChain chain = new MockFilterChain(true);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
|
||||
// Setup our test object, to grant access
|
||||
MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(true);
|
||||
filter.setInvalidateSessionOnSuccessfulAuthentication(true);
|
||||
successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/");
|
||||
filter.setAuthenticationSuccessHandler(successHandler);
|
||||
|
||||
executeFilterInContainerSimulator(config, filter, request, response, chain);
|
||||
|
||||
HttpSession newSession = request.getSession();
|
||||
assertFalse(newSession.getId().equals(oldSession.getId()));
|
||||
assertEquals("test", newSession.getAttribute("test"));
|
||||
}
|
||||
|
||||
public void testAttributesAreNotMigratedToNewlyCreatedSessionIfMigrateAttributesIsFalse() throws Exception {
|
||||
MockHttpServletRequest request = createMockRequest();
|
||||
HttpSession oldSession = request.getSession();
|
||||
MockFilterConfig config = new MockFilterConfig(null, null);
|
||||
MockFilterChain chain = new MockFilterChain(true);
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
|
||||
MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(true);
|
||||
filter.setInvalidateSessionOnSuccessfulAuthentication(true);
|
||||
filter.setMigrateInvalidatedSessionAttributes(false);
|
||||
successHandler.setDefaultTargetUrl("http://monkeymachine.co.uk/");
|
||||
filter.setAuthenticationSuccessHandler(successHandler);
|
||||
|
||||
executeFilterInContainerSimulator(config, filter, request, response, chain);
|
||||
|
||||
HttpSession newSession = request.getSession();
|
||||
assertFalse(newSession.getId().equals(oldSession.getId()));
|
||||
assertNull(newSession.getAttribute("test"));
|
||||
}
|
||||
|
||||
/**
|
||||
* SEC-571
|
||||
*/
|
||||
|
||||
@@ -0,0 +1,41 @@
|
||||
package org.springframework.security.web.session;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
import static org.mockito.Mockito.mock;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.core.Authentication;
|
||||
|
||||
/**
|
||||
*
|
||||
* @author Luke Taylor
|
||||
* @version $Id$
|
||||
*/
|
||||
public class DefaultAuthenticatedSessionStrategyTests {
|
||||
|
||||
@Test
|
||||
public void newSessionShouldNotBeCreatedIfNoSessionExistsAndAlwaysCreateIsFalse() throws Exception {
|
||||
DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
|
||||
HttpServletRequest request = new MockHttpServletRequest();
|
||||
|
||||
strategy.onAuthenticationSuccess(mock(Authentication.class), request, new MockHttpServletResponse());
|
||||
|
||||
assertNull(request.getSession(false));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void newSessionIsCreatedIfSessionAlreadyExists() throws Exception {
|
||||
DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
|
||||
HttpServletRequest request = new MockHttpServletRequest();
|
||||
String sessionId = request.getSession().getId();
|
||||
|
||||
strategy.onAuthenticationSuccess(mock(Authentication.class), request, new MockHttpServletResponse());
|
||||
|
||||
assertFalse(sessionId.equals(request.getSession().getId()));
|
||||
}
|
||||
|
||||
}
|
||||
@@ -1,8 +1,11 @@
|
||||
package org.springframework.security.web.session;
|
||||
|
||||
import static org.junit.Assert.*;
|
||||
import static org.mockito.Matchers.any;
|
||||
import static org.mockito.Mockito.*;
|
||||
|
||||
import javax.servlet.http.HttpServletRequest;
|
||||
import javax.servlet.http.HttpServletResponse;
|
||||
|
||||
import org.junit.After;
|
||||
import org.junit.Test;
|
||||
@@ -10,9 +13,9 @@ import org.springframework.mock.web.MockFilterChain;
|
||||
import org.springframework.mock.web.MockHttpServletRequest;
|
||||
import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||
import org.springframework.security.web.session.SessionFixationProtectionFilter;
|
||||
import org.springframework.security.web.context.SecurityContextRepository;
|
||||
|
||||
/**
|
||||
*
|
||||
@@ -26,32 +29,10 @@ public class SessionFixationProtectionFilterTests {
|
||||
SecurityContextHolder.clearContext();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void newSessionShouldNotBeCreatedIfNoSessionExists() throws Exception {
|
||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
|
||||
HttpServletRequest request = new MockHttpServletRequest();
|
||||
authenticateUser();
|
||||
|
||||
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
|
||||
|
||||
assertNull(request.getSession(false));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void newSessionBeCreatedIfAuthenticatedOccurredDuringRequest() throws Exception {
|
||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
|
||||
HttpServletRequest request = new MockHttpServletRequest();
|
||||
String sessionId = request.getSession().getId();
|
||||
authenticateUser();
|
||||
|
||||
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
|
||||
|
||||
assertFalse(sessionId.equals(request.getSession().getId()));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception {
|
||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
|
||||
SecurityContextRepository repo = mock(SecurityContextRepository.class);
|
||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
|
||||
HttpServletRequest request = new MockHttpServletRequest();
|
||||
String sessionId = request.getSession().getId();
|
||||
|
||||
@@ -61,17 +42,47 @@ public class SessionFixationProtectionFilterTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void newSessionShouldNotBeCreatedIfUserIsAlreadyAuthenticated() throws Exception {
|
||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
|
||||
public void strategyIsNotInvokedIfSecurityContextAlreadyExistsForRequest() throws Exception {
|
||||
SecurityContextRepository repo = mock(SecurityContextRepository.class);
|
||||
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
|
||||
// mock that repo contains a security context
|
||||
when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true);
|
||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
|
||||
filter.setAuthenticatedSessionStrategy(strategy);
|
||||
HttpServletRequest request = new MockHttpServletRequest();
|
||||
String sessionId = request.getSession().getId();
|
||||
authenticateUser();
|
||||
request.getSession().setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY,
|
||||
SecurityContextHolder.getContext());
|
||||
|
||||
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
|
||||
|
||||
assertEquals(sessionId, request.getSession().getId());
|
||||
verifyZeroInteractions(strategy);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception {
|
||||
SecurityContextRepository repo = mock(SecurityContextRepository.class);
|
||||
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
|
||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
|
||||
filter.setAuthenticatedSessionStrategy(strategy);
|
||||
HttpServletRequest request = new MockHttpServletRequest();
|
||||
|
||||
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
|
||||
|
||||
verifyZeroInteractions(strategy);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void strategyIsInvokedIfUserIsNewlyAuthenticated() throws Exception {
|
||||
SecurityContextRepository repo = mock(SecurityContextRepository.class);
|
||||
// repo will return false to containsContext()
|
||||
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
|
||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
|
||||
filter.setAuthenticatedSessionStrategy(strategy);
|
||||
HttpServletRequest request = new MockHttpServletRequest();
|
||||
authenticateUser();
|
||||
|
||||
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
|
||||
|
||||
verify(strategy).onAuthenticationSuccess(any(Authentication.class), any(HttpServletRequest.class), any(HttpServletResponse.class));
|
||||
}
|
||||
|
||||
private void authenticateUser() {
|
||||
|
||||
Reference in New Issue
Block a user