Examples with HttpSession jakarta.servlet.http.HttpSession used on opensource projects

Example 86 with HttpSession

use of jakarta.servlet.http.HttpSession in project spring-security by spring-projects.

the class HttpSessionRequestCache method removeRequest.

@Override
public void removeRequest(HttpServletRequest currentRequest, HttpServletResponse response) {
    HttpSession session = currentRequest.getSession(false);
    if (session != null) {
        this.logger.trace("Removing DefaultSavedRequest from session if present");
        session.removeAttribute(this.sessionAttrName);
    }
}

Example 87 with HttpSession

use of jakarta.servlet.http.HttpSession in project spring-security by spring-projects.

the class ConcurrentSessionFilter method doFilter.

private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpSession session = request.getSession(false);
    if (session != null) {
        SessionInformation info = this.sessionRegistry.getSessionInformation(session.getId());
        if (info != null) {
            if (info.isExpired()) {
                // Expired - abort processing
                this.logger.debug(LogMessage.of(() -> "Requested session ID " + request.getRequestedSessionId() + " has expired."));
                doLogout(request, response);
                this.sessionInformationExpiredStrategy.onExpiredSessionDetected(new SessionInformationExpiredEvent(info, request, response));
                return;
            }
            // Non-expired - update last request date/time
            this.sessionRegistry.refreshLastRequest(info.getSessionId());
        }
    }
    chain.doFilter(request, response);
}

Example 88 with HttpSession

use of jakarta.servlet.http.HttpSession in project spring-security by spring-projects.

the class HttpSessionSecurityContextRepositoryTests method saveContextCallsSetAttributeIfContextIsModifiedDirectlyDuringRequest.

// SEC-1528
@Test
public void saveContextCallsSetAttributeIfContextIsModifiedDirectlyDuringRequest() {
    HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
    MockHttpServletRequest request = new MockHttpServletRequest();
    // Set up an existing authenticated context, mocking that it is in the session
    // already
    SecurityContext ctx = SecurityContextHolder.getContext();
    ctx.setAuthentication(this.testToken);
    HttpSession session = mock(HttpSession.class);
    given(session.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY)).willReturn(ctx);
    request.setSession(session);
    HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, new MockHttpServletResponse());
    assertThat(repo.loadContext(holder)).isSameAs(ctx);
    // Modify context contents. Same user, different role
    SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("someone", "passwd", "ROLE_B"));
    repo.saveContext(ctx, holder.getRequest(), holder.getResponse());
    // Must be called even though the value in the local VM is already the same
    verify(session).setAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY, ctx);
}

Example 89 with HttpSession

use of jakarta.servlet.http.HttpSession in project spring-security by spring-projects.

the class DefaultSessionAuthenticationStrategyTests method onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalseWithEventPublisher.

// SEC-2002
@Test
public void onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalseWithEventPublisher() {
    SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
    strategy.setMigrateSessionAttributes(false);
    HttpServletRequest request = new MockHttpServletRequest();
    HttpSession session = request.getSession();
    session.setAttribute("blah", "blah");
    session.setAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY", "DefaultSavedRequest");
    String oldSessionId = session.getId();
    ApplicationEventPublisher eventPublisher = mock(ApplicationEventPublisher.class);
    strategy.setApplicationEventPublisher(eventPublisher);
    Authentication mockAuthentication = mock(Authentication.class);
    strategy.onAuthentication(mockAuthentication, request, new MockHttpServletResponse());
    ArgumentCaptor<ApplicationEvent> eventArgumentCaptor = ArgumentCaptor.forClass(ApplicationEvent.class);
    verify(eventPublisher).publishEvent(eventArgumentCaptor.capture());
    assertThat(request.getSession().getAttribute("blah")).isNull();
    assertThat(request.getSession().getAttribute("SPRING_SECURITY_SAVED_REQUEST_KEY")).isNotNull();
    assertThat(eventArgumentCaptor.getValue()).isNotNull();
    assertThat(eventArgumentCaptor.getValue() instanceof SessionFixationProtectionEvent).isTrue();
    SessionFixationProtectionEvent event = (SessionFixationProtectionEvent) eventArgumentCaptor.getValue();
    assertThat(event.getOldSessionId()).isEqualTo(oldSessionId);
    assertThat(event.getNewSessionId()).isEqualTo(request.getSession().getId());
    assertThat(event.getAuthentication()).isSameAs(mockAuthentication);
}

Example 90 with HttpSession

use of jakarta.servlet.http.HttpSession in project spring-security by spring-projects.

the class DefaultSessionAuthenticationStrategyTests method onAuthenticationWhenMigrateSessionAttributesFalseThenMaxInactiveIntervalIsNotMigrated.

@Test
public void onAuthenticationWhenMigrateSessionAttributesFalseThenMaxInactiveIntervalIsNotMigrated() {
    SessionFixationProtectionStrategy strategy = new SessionFixationProtectionStrategy();
    strategy.setMigrateSessionAttributes(false);
    HttpServletRequest request = new MockHttpServletRequest();
    HttpSession session = request.getSession();
    session.setMaxInactiveInterval(1);
    Authentication mockAuthentication = mock(Authentication.class);
    strategy.onAuthentication(mockAuthentication, request, new MockHttpServletResponse());
    assertThat(request.getSession().getMaxInactiveInterval()).isNotEqualTo(1);
}