Examples with SessionFixationProtectionStrategy org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy used on opensource projects

Search in sources :

Example 1 with SessionFixationProtectionStrategy

use of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy in project spring-security by spring-projects.

the class DefaultSessionAuthenticationStrategyTests method newSessionShouldNotBeCreatedIfNoSessionExistsAndAlwaysCreateIsFalse.

@Test
public void newSessionShouldNotBeCreatedIfNoSessionExistsAndAlwaysCreateIsFalse() {
    SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
    HttpServletRequest request = new MockHttpServletRequest();
    strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
    assertThat(request.getSession(false)).isNull();
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) Authentication(org.springframework.security.core.Authentication) SessionFixationProtectionStrategy(org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Example 2 with SessionFixationProtectionStrategy

use of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy in project spring-security by spring-projects.

the class DefaultSessionAuthenticationStrategyTests method newSessionIsCreatedIfSessionAlreadyExists.

@Test
public void newSessionIsCreatedIfSessionAlreadyExists() {
    SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
    HttpServletRequest request = new MockHttpServletRequest();
    String sessionId = request.getSession().getId();
    strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
    assertThat(sessionId.equals(request.getSession().getId())).isFalse();
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) Authentication(org.springframework.security.core.Authentication) SessionFixationProtectionStrategy(org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Example 3 with SessionFixationProtectionStrategy

use of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy in project spring-security by spring-projects.

the class DefaultSessionAuthenticationStrategyTests method onAuthenticationWhenMigrateSessionAttributesTrueThenMaxInactiveIntervalIsMigrated.

@Test
public void onAuthenticationWhenMigrateSessionAttributesTrueThenMaxInactiveIntervalIsMigrated() {
    SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
    HttpServletRequest request = new MockHttpServletRequest();
    HttpSession session = request.getSession();
    session.setMaxInactiveInterval(1);
    Authentication mockAuthentication = mock(Authentication.class);
    strategy.onAuthentication(mockAuthentication, request, new MockHttpServletResponse());
    assertThat(request.getSession().getMaxInactiveInterval()).isEqualTo(1);
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpSession(jakarta.servlet.http.HttpSession) Authentication(org.springframework.security.core.Authentication) SessionFixationProtectionStrategy(org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Example 4 with SessionFixationProtectionStrategy

use of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy in project spring-security by spring-projects.

the class DefaultSessionAuthenticationStrategyTests method onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalse.

// See SEC-1077
@Test
public void onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalse() {
    SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
    strategy.setMigrateSessionAttributes(false);
    HttpServletRequest request = new MockHttpServletRequest();
    HttpSession session = request.getSession();
    session.setAttribute("blah", "blah");
    session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", "DefaultSavedRequest");
    strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
    assertThat(request.getSession().getAttribute("blah")).isNull();
    assertThat(request.getSession().getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY")).isNotNull();
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpSession(jakarta.servlet.http.HttpSession) Authentication(org.springframework.security.core.Authentication) SessionFixationProtectionStrategy(org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Example 5 with SessionFixationProtectionStrategy

use of org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy in project spring-security by spring-projects.

the class DefaultSessionAuthenticationStrategyTests method onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalseWithEventPublisher.

// SEC-2002
@Test
public void onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalseWithEventPublisher() {
    SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
    strategy.setMigrateSessionAttributes(false);
    HttpServletRequest request = new MockHttpServletRequest();
    HttpSession session = request.getSession();
    session.setAttribute("blah", "blah");
    session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", "DefaultSavedRequest");
    String oldSessionId = session.getId();
    ApplicationEventPublisher eventPublisher = mock(ApplicationEventPublisher.class);
    strategy.setApplicationEventPublisher(eventPublisher);
    Authentication mockAuthentication = mock(Authentication.class);
    strategy.onAuthentication(mockAuthentication, request, new MockHttpServletResponse());
    ArgumentCaptor<ApplicationEvent> eventArgumentCaptor = ArgumentCaptor.forClass(ApplicationEvent.class);
    verify(eventPublisher).publishEvent(eventArgumentCaptor.capture());
    assertThat(request.getSession().getAttribute("blah")).isNull();
    assertThat(request.getSession().getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY")).isNotNull();
    assertThat(eventArgumentCaptor.getValue()).isNotNull();
    assertThat(eventArgumentCaptor.getValue() instanceof SessionFixationProtectionEvent).isTrue();
    SessionFixationProtectionEvent event = (SessionFixationProtectionEvent) eventArgumentCaptor.getValue();
    assertThat(event.getOldSessionId()).isEqualTo(oldSessionId);
    assertThat(event.getNewSessionId()).isEqualTo(request.getSession().getId());
    assertThat(event.getAuthentication()).isSameAs(mockAuthentication);
}
Also used : HttpServletRequest(jakarta.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpSession(jakarta.servlet.http.HttpSession) Authentication(org.springframework.security.core.Authentication) SessionFixationProtectionEvent(org.springframework.security.web.authentication.session.SessionFixationProtectionEvent) ApplicationEventPublisher(org.springframework.context.ApplicationEventPublisher) ApplicationEvent(org.springframework.context.ApplicationEvent) SessionFixationProtectionStrategy(org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Aggregations

HttpServletRequest (jakarta.servlet.http.HttpServletRequest)8 Test (org.junit.jupiter.api.Test)8 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)8 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)8 Authentication (org.springframework.security.core.Authentication)8 SessionFixationProtectionStrategy (org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy)8 HttpSession (jakarta.servlet.http.HttpSession)5 ApplicationEvent (org.springframework.context.ApplicationEvent)2 ApplicationEventPublisher (org.springframework.context.ApplicationEventPublisher)2 SessionFixationProtectionEvent (org.springframework.security.web.authentication.session.SessionFixationProtectionEvent)2
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial