Search in sources :

Example 6 with SessionDestroyedEvent

use of org.springframework.security.core.session.SessionDestroyedEvent in project spring-security by spring-projects.

the class JaasAuthenticationProviderTests method testLogout.

@Test
public void testLogout() throws Exception {
    MockLoginContext loginContext = new MockLoginContext(this.jaasProvider.getLoginContextName());
    JaasAuthenticationToken token = new JaasAuthenticationToken(null, null, loginContext);
    SecurityContext context = SecurityContextHolder.createEmptyContext();
    context.setAuthentication(token);
    SessionDestroyedEvent event = mock(SessionDestroyedEvent.class);
    given(event.getSecurityContexts()).willReturn(Arrays.asList(context));
    this.jaasProvider.handleLogout(event);
    assertThat(loginContext.loggedOut).isTrue();
}
Also used : SecurityContext(org.springframework.security.core.context.SecurityContext) SessionDestroyedEvent(org.springframework.security.core.session.SessionDestroyedEvent) Test(org.junit.jupiter.api.Test)

Example 7 with SessionDestroyedEvent

use of org.springframework.security.core.session.SessionDestroyedEvent in project spring-security by spring-projects.

the class SessionRegistryImplTests method sessionDestroyedEventRemovesSessionFromRegistry.

@Test
public void sessionDestroyedEventRemovesSessionFromRegistry() {
    Object principal = "Some principal object";
    final String sessionId = "zzzz";
    // Register new Session
    sessionRegistry.registerNewSession(sessionId, principal);
    // De-register session via an ApplicationEvent
    sessionRegistry.onApplicationEvent(new SessionDestroyedEvent("") {

        @Override
        public String getId() {
            return sessionId;
        }

        @Override
        public List<SecurityContext> getSecurityContexts() {
            return null;
        }
    });
    // Check attempts to retrieve cleared session return null
    assertThat(sessionRegistry.getSessionInformation(sessionId)).isNull();
}
Also used : List(java.util.List) SessionDestroyedEvent(org.springframework.security.core.session.SessionDestroyedEvent) Test(org.junit.Test)

Example 8 with SessionDestroyedEvent

use of org.springframework.security.core.session.SessionDestroyedEvent in project spring-security by spring-projects.

the class ConcurrentSessionManagementTests method maxConcurrentLoginsValueIsRespected.

@Test
public void maxConcurrentLoginsValueIsRespected() throws Exception {
    final MockHttpSession session1 = new MockHttpSession();
    final MockHttpSession session2 = new MockHttpSession();
    MockMvc mockMvc = createMockMvc("classpath:/spring/http-security-concurrency.xml", "classpath:/spring/in-memory-provider.xml", "classpath:/spring/testapp-servlet.xml");
    // @formatter:off
    mockMvc.perform(get("/secure/index").session(session1)).andExpect(status().is3xxRedirection());
    // @formatter:on
    MockHttpServletRequestBuilder login1 = login().session(session1);
    mockMvc.perform(login1).andExpect(authenticated().withUsername("jimi"));
    MockHttpServletRequestBuilder login2 = login().session(session2);
    // @formatter:off
    mockMvc.perform(login2).andExpect(redirectedUrl("/login.jsp?login_error=true"));
    // @formatter:on
    Exception exception = (Exception) session2.getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
    assertThat(exception).isNotNull();
    assertThat(exception.getMessage()).contains("Maximum sessions of 1 for this principal exceeded");
    // Now logout to kill first session
    // @formatter:off
    mockMvc.perform(post("/logout").with(csrf())).andExpect(status().is3xxRedirection()).andDo((result) -> this.context.publishEvent(new SessionDestroyedEvent(session1) {

        @Override
        public List<SecurityContext> getSecurityContexts() {
            return Collections.emptyList();
        }

        @Override
        public String getId() {
            return session1.getId();
        }
    }));
    // @formatter:on
    // Try second session again
    login2 = login().session(session2);
    // @formatter:off
    mockMvc.perform(login2).andExpect(authenticated().withUsername("jimi"));
    // @formatter:on
    // @formatter:off
    mockMvc.perform(get("/secure/index").session(session2)).andExpect(content().string(containsString("A Secure Page")));
// @formatter:on
}
Also used : MockHttpServletRequestBuilder(org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder) SecurityContext(org.springframework.security.core.context.SecurityContext) MockHttpSession(org.springframework.mock.web.MockHttpSession) SessionDestroyedEvent(org.springframework.security.core.session.SessionDestroyedEvent) MockMvc(org.springframework.test.web.servlet.MockMvc) Test(org.junit.jupiter.api.Test)

Example 9 with SessionDestroyedEvent

use of org.springframework.security.core.session.SessionDestroyedEvent in project spring-security by spring-projects.

the class DefaultJaasAuthenticationProviderTests method logoutLoginException.

@Test
public void logoutLoginException() throws Exception {
    SessionDestroyedEvent event = mock(SessionDestroyedEvent.class);
    SecurityContext securityContext = mock(SecurityContext.class);
    JaasAuthenticationToken token = mock(JaasAuthenticationToken.class);
    LoginContext context = mock(LoginContext.class);
    LoginException loginException = new LoginException("Failed Login");
    given(event.getSecurityContexts()).willReturn(Arrays.asList(securityContext));
    given(securityContext.getAuthentication()).willReturn(token);
    given(token.getLoginContext()).willReturn(context);
    willThrow(loginException).given(context).logout();
    this.provider.onApplicationEvent(event);
    verify(event).getSecurityContexts();
    verify(securityContext).getAuthentication();
    verify(token).getLoginContext();
    verify(context).logout();
    verify(this.log).warn(anyString(), eq(loginException));
    verifyNoMoreInteractions(event, securityContext, token, context);
}
Also used : LoginContext(javax.security.auth.login.LoginContext) SecurityContext(org.springframework.security.core.context.SecurityContext) LoginException(javax.security.auth.login.LoginException) SessionDestroyedEvent(org.springframework.security.core.session.SessionDestroyedEvent) Test(org.junit.jupiter.api.Test)

Example 10 with SessionDestroyedEvent

use of org.springframework.security.core.session.SessionDestroyedEvent in project spring-security by spring-projects.

the class DefaultJaasAuthenticationProviderTests method logoutNullLoginContext.

@Test
public void logoutNullLoginContext() {
    SessionDestroyedEvent event = mock(SessionDestroyedEvent.class);
    SecurityContext securityContext = mock(SecurityContext.class);
    JaasAuthenticationToken token = mock(JaasAuthenticationToken.class);
    given(event.getSecurityContexts()).willReturn(Arrays.asList(securityContext));
    given(securityContext.getAuthentication()).willReturn(token);
    this.provider.onApplicationEvent(event);
    verify(event).getSecurityContexts();
    verify(securityContext).getAuthentication();
    verify(token).getLoginContext();
    verifyNoMoreInteractions(event, securityContext, token);
}
Also used : SecurityContext(org.springframework.security.core.context.SecurityContext) SessionDestroyedEvent(org.springframework.security.core.session.SessionDestroyedEvent) Test(org.junit.jupiter.api.Test)

Aggregations

SessionDestroyedEvent (org.springframework.security.core.session.SessionDestroyedEvent)10 Test (org.junit.jupiter.api.Test)8 SecurityContext (org.springframework.security.core.context.SecurityContext)7 LoginContext (javax.security.auth.login.LoginContext)2 List (java.util.List)1 PostConstruct (javax.annotation.PostConstruct)1 LoginException (javax.security.auth.login.LoginException)1 Test (org.junit.Test)1 ConfigurableApplicationContext (org.springframework.context.ConfigurableApplicationContext)1 MockHttpSession (org.springframework.mock.web.MockHttpSession)1 MockMvc (org.springframework.test.web.servlet.MockMvc)1 MockHttpServletRequestBuilder (org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder)1