use of org.springframework.security.core.session.SessionDestroyedEvent in project spring-security by spring-projects.
the class JaasAuthenticationProviderTests method testLogout.
@Test
public void testLogout() throws Exception {
MockLoginContext loginContext = new MockLoginContext(this.jaasProvider.getLoginContextName());
JaasAuthenticationToken token = new JaasAuthenticationToken(null, null, loginContext);
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(token);
SessionDestroyedEvent event = mock(SessionDestroyedEvent.class);
given(event.getSecurityContexts()).willReturn(Arrays.asList(context));
this.jaasProvider.handleLogout(event);
assertThat(loginContext.loggedOut).isTrue();
}
use of org.springframework.security.core.session.SessionDestroyedEvent in project spring-security by spring-projects.
the class SessionRegistryImplTests method sessionDestroyedEventRemovesSessionFromRegistry.
@Test
public void sessionDestroyedEventRemovesSessionFromRegistry() {
Object principal = "Some principal object";
final String sessionId = "zzzz";
// Register new Session
sessionRegistry.registerNewSession(sessionId, principal);
// De-register session via an ApplicationEvent
sessionRegistry.onApplicationEvent(new SessionDestroyedEvent("") {
@Override
public String getId() {
return sessionId;
}
@Override
public List<SecurityContext> getSecurityContexts() {
return null;
}
});
// Check attempts to retrieve cleared session return null
assertThat(sessionRegistry.getSessionInformation(sessionId)).isNull();
}
use of org.springframework.security.core.session.SessionDestroyedEvent in project spring-security by spring-projects.
the class ConcurrentSessionManagementTests method maxConcurrentLoginsValueIsRespected.
@Test
public void maxConcurrentLoginsValueIsRespected() throws Exception {
final MockHttpSession session1 = new MockHttpSession();
final MockHttpSession session2 = new MockHttpSession();
MockMvc mockMvc = createMockMvc("classpath:/spring/http-security-concurrency.xml", "classpath:/spring/in-memory-provider.xml", "classpath:/spring/testapp-servlet.xml");
// @formatter:off
mockMvc.perform(get("/secure/index").session(session1)).andExpect(status().is3xxRedirection());
// @formatter:on
MockHttpServletRequestBuilder login1 = login().session(session1);
mockMvc.perform(login1).andExpect(authenticated().withUsername("jimi"));
MockHttpServletRequestBuilder login2 = login().session(session2);
// @formatter:off
mockMvc.perform(login2).andExpect(redirectedUrl("/login.jsp?login_error=true"));
// @formatter:on
Exception exception = (Exception) session2.getAttribute("SPRING_SECURITY_LAST_EXCEPTION");
assertThat(exception).isNotNull();
assertThat(exception.getMessage()).contains("Maximum sessions of 1 for this principal exceeded");
// Now logout to kill first session
// @formatter:off
mockMvc.perform(post("/logout").with(csrf())).andExpect(status().is3xxRedirection()).andDo((result) -> this.context.publishEvent(new SessionDestroyedEvent(session1) {
@Override
public List<SecurityContext> getSecurityContexts() {
return Collections.emptyList();
}
@Override
public String getId() {
return session1.getId();
}
}));
// @formatter:on
// Try second session again
login2 = login().session(session2);
// @formatter:off
mockMvc.perform(login2).andExpect(authenticated().withUsername("jimi"));
// @formatter:on
// @formatter:off
mockMvc.perform(get("/secure/index").session(session2)).andExpect(content().string(containsString("A Secure Page")));
// @formatter:on
}
use of org.springframework.security.core.session.SessionDestroyedEvent in project spring-security by spring-projects.
the class DefaultJaasAuthenticationProviderTests method logoutLoginException.
@Test
public void logoutLoginException() throws Exception {
SessionDestroyedEvent event = mock(SessionDestroyedEvent.class);
SecurityContext securityContext = mock(SecurityContext.class);
JaasAuthenticationToken token = mock(JaasAuthenticationToken.class);
LoginContext context = mock(LoginContext.class);
LoginException loginException = new LoginException("Failed Login");
given(event.getSecurityContexts()).willReturn(Arrays.asList(securityContext));
given(securityContext.getAuthentication()).willReturn(token);
given(token.getLoginContext()).willReturn(context);
willThrow(loginException).given(context).logout();
this.provider.onApplicationEvent(event);
verify(event).getSecurityContexts();
verify(securityContext).getAuthentication();
verify(token).getLoginContext();
verify(context).logout();
verify(this.log).warn(anyString(), eq(loginException));
verifyNoMoreInteractions(event, securityContext, token, context);
}
use of org.springframework.security.core.session.SessionDestroyedEvent in project spring-security by spring-projects.
the class DefaultJaasAuthenticationProviderTests method logoutNullLoginContext.
@Test
public void logoutNullLoginContext() {
SessionDestroyedEvent event = mock(SessionDestroyedEvent.class);
SecurityContext securityContext = mock(SecurityContext.class);
JaasAuthenticationToken token = mock(JaasAuthenticationToken.class);
given(event.getSecurityContexts()).willReturn(Arrays.asList(securityContext));
given(securityContext.getAuthentication()).willReturn(token);
this.provider.onApplicationEvent(event);
verify(event).getSecurityContexts();
verify(securityContext).getAuthentication();
verify(token).getLoginContext();
verifyNoMoreInteractions(event, securityContext, token);
}
Aggregations