Examples with SessionInformation org.springframework.security.core.session.SessionInformation used on opensource projects

Example 6 with SessionInformation

use of org.springframework.security.core.session.SessionInformation in project spring-security by spring-projects.

the class ConcurrentSessionFilter method doFilter.

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    HttpSession session = request.getSession(false);
    if (session != null) {
        SessionInformation info = sessionRegistry.getSessionInformation(session.getId());
        if (info != null) {
            if (info.isExpired()) {
                // Expired - abort processing
                if (logger.isDebugEnabled()) {
                    logger.debug("Requested session ID " + request.getRequestedSessionId() + " has expired.");
                }
                doLogout(request, response);
                this.sessionInformationExpiredStrategy.onExpiredSessionDetected(new SessionInformationExpiredEvent(info, request, response));
                return;
            } else {
                // Non-expired - update last request date/time
                sessionRegistry.refreshLastRequest(info.getSessionId());
            }
        }
    }
    chain.doFilter(request, response);
}

Example 7 with SessionInformation

use of org.springframework.security.core.session.SessionInformation in project spring-security by spring-projects.

the class SessionRegistryImplTests method testTwoSessionsOnePrincipalExpiring.

@Test
public void testTwoSessionsOnePrincipalExpiring() throws Exception {
    Object principal = "Some principal object";
    String sessionId1 = "1234567890";
    String sessionId2 = "9876543210";
    sessionRegistry.registerNewSession(sessionId1, principal);
    List<SessionInformation> sessions = sessionRegistry.getAllSessions(principal, false);
    assertThat(sessions).hasSize(1);
    assertThat(contains(sessionId1, principal)).isTrue();
    sessionRegistry.registerNewSession(sessionId2, principal);
    sessions = sessionRegistry.getAllSessions(principal, false);
    assertThat(sessions).hasSize(2);
    assertThat(contains(sessionId2, principal)).isTrue();
    // Expire one session
    SessionInformation session = sessionRegistry.getSessionInformation(sessionId2);
    session.expireNow();
    // Check retrieval still correct
    assertThat(sessionRegistry.getSessionInformation(sessionId2).isExpired()).isTrue();
    assertThat(sessionRegistry.getSessionInformation(sessionId1).isExpired()).isFalse();
}

Example 8 with SessionInformation

use of org.springframework.security.core.session.SessionInformation in project spring-security by spring-projects.

the class ConcurrentSessionControlAuthenticationStrategy method allowableSessionsExceeded.

/**
	 * Allows subclasses to customise behaviour when too many sessions are detected.
	 *
	 * @param sessions either <code>null</code> or all unexpired sessions associated with
	 * the principal
	 * @param allowableSessions the number of concurrent sessions the user is allowed to
	 * have
	 * @param registry an instance of the <code>SessionRegistry</code> for subclass use
	 *
	 */
protected void allowableSessionsExceeded(List<SessionInformation> sessions, int allowableSessions, SessionRegistry registry) throws SessionAuthenticationException {
    if (exceptionIfMaximumExceeded || (sessions == null)) {
        throw new SessionAuthenticationException(messages.getMessage("ConcurrentSessionControlAuthenticationStrategy.exceededAllowed", new Object[] { Integer.valueOf(allowableSessions) }, "Maximum sessions of {0} for this principal exceeded"));
    }
    // Determine least recently used session, and mark it for invalidation
    SessionInformation leastRecentlyUsed = null;
    for (SessionInformation session : sessions) {
        if ((leastRecentlyUsed == null) || session.getLastRequest().before(leastRecentlyUsed.getLastRequest())) {
            leastRecentlyUsed = session;
        }
    }
    leastRecentlyUsed.expireNow();
}

Example 9 with SessionInformation

use of org.springframework.security.core.session.SessionInformation in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method doFilterWhenNoExpiredUrlThenResponseWritten.

@Test
public void doFilterWhenNoExpiredUrlThenResponseWritten() throws Exception {
    MockHttpServletRequest request = new MockHttpServletRequest();
    MockHttpSession session = new MockHttpSession();
    request.setSession(session);
    MockHttpServletResponse response = new MockHttpServletResponse();
    SessionRegistry registry = mock(SessionRegistry.class);
    SessionInformation information = new SessionInformation("user", "sessionId", new Date(System.currentTimeMillis() - 1000));
    information.expireNow();
    when(registry.getSessionInformation(anyString())).thenReturn(information);
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry);
    filter.doFilter(request, response, new MockFilterChain());
    assertThat(response.getContentAsString()).contains("This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).");
}

Example 10 with SessionInformation

use of org.springframework.security.core.session.SessionInformation in project spring-security by spring-projects.

the class ConcurrentSessionControlAuthenticationStrategyTests method setup.

@Before
public void setup() throws Exception {
    authentication = new TestingAuthenticationToken("user", "password", "ROLE_USER");
    request = new MockHttpServletRequest();
    response = new MockHttpServletResponse();
    sessionInformation = new SessionInformation(authentication.getPrincipal(), "unique", new Date(1374766134216L));
    strategy = new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
}