SEC-1875: ConcurrentSessionControlStrategy no longer adds/removes the session to the SessionRegistry twice

This fixes two issues introduced by SEC-1229

 * SessionRegistry.registerNewSession is invoked twice

 * SessionRegistry.removeSession is invoked twice (once by the
ConcurrentSessionControlStrategy#onSessionChange and once by
SessionRegistryImpl#onApplicationEvent). This is not nearly
as problematic since the interface states that implementations
should be handle removing the session twice. However, as removing
twice requires an unnecessary database hit we should only remove
sessions once.
This commit is contained in:
Rob Winch
2012-06-26 16:25:53 -05:00
parent 954ba57cf2
commit de3dfb5b3f
2 changed files with 63 additions and 7 deletions

View File

@@ -0,0 +1,63 @@
package org.springframework.security.web.authentication.session;
import static org.mockito.AdditionalMatchers.not;
import static org.mockito.Matchers.anyObject;
import static org.mockito.Matchers.anyString;
import static org.mockito.Matchers.eq;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Mock;
import org.mockito.runners.MockitoJUnitRunner;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.session.SessionRegistry;
/**
*
* @author Rob Winch
*
*/
@RunWith(MockitoJUnitRunner.class)
public class ConcurrentSessionControlStrategyTests {
@Mock
private SessionRegistry sessionRegistry;
@Mock
private Authentication authentication;
private MockHttpServletRequest request;
private MockHttpServletResponse response;
private ConcurrentSessionControlStrategy strategy;
@Before
public void setup() throws Exception {
request = new MockHttpServletRequest();
response = new MockHttpServletResponse();
strategy = new ConcurrentSessionControlStrategy(sessionRegistry);
}
@Test
public void onAuthenticationNewSession() {
strategy.onAuthentication(authentication, request, response);
verify(sessionRegistry,times(0)).removeSessionInformation(anyString());
verify(sessionRegistry).registerNewSession(anyString(), anyObject());
}
// SEC-1875
@Test
public void onAuthenticationChangeSession() {
String originalSessionId = request.getSession().getId();
strategy.onAuthentication(authentication, request, response);
verify(sessionRegistry,times(0)).removeSessionInformation(anyString());
verify(sessionRegistry).registerNewSession(not(eq(originalSessionId)), anyObject());
}
}