Search in sources :

Example 6 with SessionRegistry

use of org.springframework.security.core.session.SessionRegistry in project spring-security by spring-projects.

the class SessionManagementConfigurer method createConccurencyFilter.

private ConcurrentSessionFilter createConccurencyFilter(H http) {
    SessionInformationExpiredStrategy expireStrategy = getExpiredSessionStrategy();
    SessionRegistry sessionRegistry = getSessionRegistry(http);
    if (expireStrategy == null) {
        return new ConcurrentSessionFilter(sessionRegistry);
    }
    return new ConcurrentSessionFilter(sessionRegistry, expireStrategy);
}
Also used : SessionInformationExpiredStrategy(org.springframework.security.web.session.SessionInformationExpiredStrategy) SimpleRedirectSessionInformationExpiredStrategy(org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy) SessionRegistry(org.springframework.security.core.session.SessionRegistry) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter)

Example 7 with SessionRegistry

use of org.springframework.security.core.session.SessionRegistry in project spring-security by spring-projects.

the class SessionManagementConfigurer method getSessionAuthenticationStrategy.

/**
	 * Gets the customized {@link SessionAuthenticationStrategy} if
	 * {@link #sessionAuthenticationStrategy(SessionAuthenticationStrategy)} was
	 * specified. Otherwise creates a default {@link SessionAuthenticationStrategy}.
	 *
	 * @return the {@link SessionAuthenticationStrategy} to use
	 */
private SessionAuthenticationStrategy getSessionAuthenticationStrategy(H http) {
    if (this.sessionAuthenticationStrategy != null) {
        return this.sessionAuthenticationStrategy;
    }
    List<SessionAuthenticationStrategy> delegateStrategies = this.sessionAuthenticationStrategies;
    SessionAuthenticationStrategy defaultSessionAuthenticationStrategy;
    if (this.providedSessionAuthenticationStrategy == null) {
        // If a user provided SessionAuthenticationStrategy is not supplied
        // then default to SessionFixationProtectionStrategy
        defaultSessionAuthenticationStrategy = postProcess(this.sessionFixationAuthenticationStrategy);
    } else {
        defaultSessionAuthenticationStrategy = this.providedSessionAuthenticationStrategy;
    }
    if (isConcurrentSessionControlEnabled()) {
        SessionRegistry sessionRegistry = getSessionRegistry(http);
        ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlAuthenticationStrategy(sessionRegistry);
        concurrentSessionControlStrategy.setMaximumSessions(this.maximumSessions);
        concurrentSessionControlStrategy.setExceptionIfMaximumExceeded(this.maxSessionsPreventsLogin);
        concurrentSessionControlStrategy = postProcess(concurrentSessionControlStrategy);
        RegisterSessionAuthenticationStrategy registerSessionStrategy = new RegisterSessionAuthenticationStrategy(sessionRegistry);
        registerSessionStrategy = postProcess(registerSessionStrategy);
        delegateStrategies.addAll(Arrays.asList(concurrentSessionControlStrategy, defaultSessionAuthenticationStrategy, registerSessionStrategy));
    } else {
        delegateStrategies.add(defaultSessionAuthenticationStrategy);
    }
    this.sessionAuthenticationStrategy = postProcess(new CompositeSessionAuthenticationStrategy(delegateStrategies));
    return this.sessionAuthenticationStrategy;
}
Also used : SessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy) CompositeSessionAuthenticationStrategy(org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy) RegisterSessionAuthenticationStrategy(org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy) SessionRegistry(org.springframework.security.core.session.SessionRegistry) CompositeSessionAuthenticationStrategy(org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy) RegisterSessionAuthenticationStrategy(org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy) ConcurrentSessionControlAuthenticationStrategy(org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy)

Example 8 with SessionRegistry

use of org.springframework.security.core.session.SessionRegistry in project spring-security by spring-projects.

the class ProtectPointcutPerformanceTests method usingPrototypeDoesNotParsePointcutOnEachCall.

// Method for use with profiler
@Test
public void usingPrototypeDoesNotParsePointcutOnEachCall() {
    StopWatch sw = new StopWatch();
    sw.start();
    for (int i = 0; i < 1000; i++) {
        try {
            SessionRegistry reg = (SessionRegistry) ctx.getBean("sessionRegistryPrototype");
            reg.getAllPrincipals();
            fail("Expected AuthenticationCredentialsNotFoundException");
        } catch (AuthenticationCredentialsNotFoundException expected) {
        }
    }
    sw.stop();
// assertThat(sw.getTotalTimeMillis() < 1000).isTrue();
}
Also used : SessionRegistry(org.springframework.security.core.session.SessionRegistry) AuthenticationCredentialsNotFoundException(org.springframework.security.authentication.AuthenticationCredentialsNotFoundException) StopWatch(org.springframework.util.StopWatch) Test(org.junit.Test)

Example 9 with SessionRegistry

use of org.springframework.security.core.session.SessionRegistry in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method lastRequestTimeUpdatesCorrectly.

@Test
public void lastRequestTimeUpdatesCorrectly() throws Exception {
    // Setup our HTTP request
    MockHttpServletRequest request = new MockHttpServletRequest();
    MockHttpSession session = new MockHttpSession();
    request.setSession(session);
    MockHttpServletResponse response = new MockHttpServletResponse();
    FilterChain fc = mock(FilterChain.class);
    // Setup our test fixture
    SessionRegistry registry = new SessionRegistryImpl();
    registry.registerNewSession(session.getId(), "principal");
    SimpleRedirectSessionInformationExpiredStrategy expiredSessionStrategy = new SimpleRedirectSessionInformationExpiredStrategy("/expired.jsp");
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry, expiredSessionStrategy);
    Date lastRequest = registry.getSessionInformation(session.getId()).getLastRequest();
    Thread.sleep(1000);
    filter.doFilter(request, response, fc);
    verify(fc).doFilter(request, response);
    assertThat(registry.getSessionInformation(session.getId()).getLastRequest().after(lastRequest)).isTrue();
}
Also used : SimpleRedirectSessionInformationExpiredStrategy(org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy) SessionRegistry(org.springframework.security.core.session.SessionRegistry) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) SessionRegistryImpl(org.springframework.security.core.session.SessionRegistryImpl) FilterChain(javax.servlet.FilterChain) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpSession(org.springframework.mock.web.MockHttpSession) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Date(java.util.Date) Test(org.junit.Test)

Example 10 with SessionRegistry

use of org.springframework.security.core.session.SessionRegistry in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method doFilterWhenNoSessionInformationThenChainIsContinued.

@Test
public void doFilterWhenNoSessionInformationThenChainIsContinued() throws Exception {
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.setSession(new MockHttpSession());
    MockHttpServletResponse response = new MockHttpServletResponse();
    RedirectStrategy redirect = mock(RedirectStrategy.class);
    SessionRegistry registry = mock(SessionRegistry.class);
    String expiredUrl = "/expired";
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry, expiredUrl);
    filter.setRedirectStrategy(redirect);
    MockFilterChain chain = new MockFilterChain();
    filter.doFilter(request, response, chain);
    assertThat(chain.getRequest()).isNotNull();
}
Also used : SessionRegistry(org.springframework.security.core.session.SessionRegistry) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpSession(org.springframework.mock.web.MockHttpSession) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) Matchers.anyString(org.mockito.Matchers.anyString) RedirectStrategy(org.springframework.security.web.RedirectStrategy) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Aggregations

SessionRegistry (org.springframework.security.core.session.SessionRegistry)12 Test (org.junit.Test)10 ConcurrentSessionFilter (org.springframework.security.web.session.ConcurrentSessionFilter)10 MockFilterChain (org.springframework.mock.web.MockFilterChain)9 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)9 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)9 MockHttpSession (org.springframework.mock.web.MockHttpSession)8 Date (java.util.Date)6 SessionInformation (org.springframework.security.core.session.SessionInformation)5 Matchers.anyString (org.mockito.Matchers.anyString)4 RedirectStrategy (org.springframework.security.web.RedirectStrategy)4 FilterChain (javax.servlet.FilterChain)3 SessionRegistryImpl (org.springframework.security.core.session.SessionRegistryImpl)3 SimpleRedirectSessionInformationExpiredStrategy (org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy)3 SecurityContextLogoutHandler (org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 AuthenticationCredentialsNotFoundException (org.springframework.security.authentication.AuthenticationCredentialsNotFoundException)1 Authentication (org.springframework.security.core.Authentication)1 LogoutHandler (org.springframework.security.web.authentication.logout.LogoutHandler)1 CompositeSessionAuthenticationStrategy (org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy)1