SEC-1229: Redesign Concurrent Session Control implementation. Renamed session strategy interface and introduced SessionAuthenticationException for rejection of session/Authentication combination.

This commit is contained in:
Luke Taylor
2009-08-31 22:48:49 +00:00
parent 0d7b990e0a
commit dbcb13ad14
12 changed files with 66 additions and 84 deletions

View File

@@ -50,7 +50,7 @@ import org.springframework.security.web.authentication.SavedRequestAwareAuthenti
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
import org.springframework.security.web.savedrequest.SavedRequest;
import org.springframework.security.web.session.AuthenticatedSessionStrategy;
import org.springframework.security.web.session.SessionAuthenticationStrategy;
/**
@@ -240,7 +240,7 @@ public class AbstractProcessingFilterTests extends TestCase {
MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(true);
filter.setFilterProcessesUrl("/j_mock_post");
filter.setAuthenticatedSessionStrategy(mock(AuthenticatedSessionStrategy.class));
filter.setAuthenticatedSessionStrategy(mock(SessionAuthenticationStrategy.class));
filter.setAuthenticationSuccessHandler(successHandler);
filter.setAuthenticationFailureHandler(failureHandler);
filter.setAuthenticationManager(mock(AuthenticationManager.class));

View File

@@ -18,11 +18,11 @@ import org.springframework.security.web.savedrequest.SavedRequest;
* @author Luke Taylor
* @version $Id$
*/
public class DefaultAuthenticatedSessionStrategyTests {
public class DefaultSessionAuthenticationStrategyTests {
@Test
public void newSessionShouldNotBeCreatedIfNoSessionExistsAndAlwaysCreateIsFalse() throws Exception {
DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
DefaultSessionAuthenticationStrategy strategy = new DefaultSessionAuthenticationStrategy();
HttpServletRequest request = new MockHttpServletRequest();
strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
@@ -32,7 +32,7 @@ public class DefaultAuthenticatedSessionStrategyTests {
// @Test
// public void newSessionIsCreatedIfSessionAlreadyExists() throws Exception {
// DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
// DefaultSessionAuthenticationStrategy strategy = new DefaultSessionAuthenticationStrategy();
// strategy.setSessionRegistry(mock(SessionRegistry.class));
// HttpServletRequest request = new MockHttpServletRequest();
// String sessionId = request.getSession().getId();
@@ -45,7 +45,7 @@ public class DefaultAuthenticatedSessionStrategyTests {
// See SEC-1077
@Test
public void onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalse() throws Exception {
DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
DefaultSessionAuthenticationStrategy strategy = new DefaultSessionAuthenticationStrategy();
strategy.setMigrateSessionAttributes(false);
HttpServletRequest request = new MockHttpServletRequest();
HttpSession session = request.getSession();
@@ -60,7 +60,7 @@ public class DefaultAuthenticatedSessionStrategyTests {
@Test
public void sessionIsCreatedIfAlwaysCreateTrue() throws Exception {
DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy();
DefaultSessionAuthenticationStrategy strategy = new DefaultSessionAuthenticationStrategy();
strategy.setAlwaysCreateSession(true);
HttpServletRequest request = new MockHttpServletRequest();
strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());

View File

@@ -44,7 +44,7 @@ public class SessionManagementFilterTests {
@Test
public void strategyIsNotInvokedIfSecurityContextAlreadyExistsForRequest() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
// mock that repo contains a security context
when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true);
SessionManagementFilter filter = new SessionManagementFilter(repo);
@@ -60,7 +60,7 @@ public class SessionManagementFilterTests {
@Test
public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest();
@@ -74,7 +74,7 @@ public class SessionManagementFilterTests {
public void strategyIsInvokedIfUserIsNewlyAuthenticated() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext()
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest();
@@ -92,7 +92,7 @@ public class SessionManagementFilterTests {
public void responseIsRedirectedToTimeoutUrlIfSetAndSessionIsInvalid() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext()
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy);
MockHttpServletRequest request = new MockHttpServletRequest();