Search in sources :

Example 16 with SessionRegistry

use of org.springframework.security.core.session.SessionRegistry in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method detectsExpiredSessions.

@Test
public void detectsExpiredSessions() throws Exception {
    // Setup our HTTP request
    MockHttpServletRequest request = new MockHttpServletRequest();
    MockHttpSession session = new MockHttpSession();
    request.setSession(session);
    MockHttpServletResponse response = new MockHttpServletResponse();
    SessionRegistry registry = new SessionRegistryImpl();
    registry.registerNewSession(session.getId(), "principal");
    registry.getSessionInformation(session.getId()).expireNow();
    // Setup our test fixture and registry to want this session to be expired
    SimpleRedirectSessionInformationExpiredStrategy expiredSessionStrategy = new SimpleRedirectSessionInformationExpiredStrategy("/expired.jsp");
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry, expiredSessionStrategy);
    filter.setLogoutHandlers(new LogoutHandler[] { new SecurityContextLogoutHandler() });
    filter.afterPropertiesSet();
    FilterChain fc = mock(FilterChain.class);
    filter.doFilter(request, response, fc);
    // Expect that the filter chain will not be invoked, as we redirect to expiredUrl
    verifyZeroInteractions(fc);
    assertThat(response.getRedirectedUrl()).isEqualTo("/expired.jsp");
}
Also used : SecurityContextLogoutHandler(org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler) SimpleRedirectSessionInformationExpiredStrategy(org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy) SessionRegistry(org.springframework.security.core.session.SessionRegistry) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) SessionRegistryImpl(org.springframework.security.core.session.SessionRegistryImpl) MockFilterChain(org.springframework.mock.web.MockFilterChain) FilterChain(jakarta.servlet.FilterChain) MockHttpSession(org.springframework.mock.web.MockHttpSession) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Example 17 with SessionRegistry

use of org.springframework.security.core.session.SessionRegistry in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method doFilterWhenNoExpiredUrlThenResponseWritten.

@Test
public void doFilterWhenNoExpiredUrlThenResponseWritten() throws Exception {
    MockHttpServletRequest request = new MockHttpServletRequest();
    MockHttpSession session = new MockHttpSession();
    request.setSession(session);
    MockHttpServletResponse response = new MockHttpServletResponse();
    SessionRegistry registry = mock(SessionRegistry.class);
    SessionInformation information = new SessionInformation("user", "sessionId", new Date(System.currentTimeMillis() - 1000));
    information.expireNow();
    given(registry.getSessionInformation(anyString())).willReturn(information);
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry);
    filter.doFilter(request, response, new MockFilterChain());
    assertThat(response.getContentAsString()).contains("This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).");
}
Also used : SessionInformation(org.springframework.security.core.session.SessionInformation) SessionRegistry(org.springframework.security.core.session.SessionRegistry) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpSession(org.springframework.mock.web.MockHttpSession) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Date(java.util.Date) Test(org.junit.jupiter.api.Test)

Example 18 with SessionRegistry

use of org.springframework.security.core.session.SessionRegistry in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method lastRequestTimeUpdatesCorrectly.

@Test
public void lastRequestTimeUpdatesCorrectly() throws Exception {
    // Setup our HTTP request
    MockHttpServletRequest request = new MockHttpServletRequest();
    MockHttpSession session = new MockHttpSession();
    request.setSession(session);
    MockHttpServletResponse response = new MockHttpServletResponse();
    FilterChain fc = mock(FilterChain.class);
    // Setup our test fixture
    SessionRegistry registry = new SessionRegistryImpl();
    registry.registerNewSession(session.getId(), "principal");
    SimpleRedirectSessionInformationExpiredStrategy expiredSessionStrategy = new SimpleRedirectSessionInformationExpiredStrategy("/expired.jsp");
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry, expiredSessionStrategy);
    Date lastRequest = registry.getSessionInformation(session.getId()).getLastRequest();
    Thread.sleep(1000);
    filter.doFilter(request, response, fc);
    verify(fc).doFilter(request, response);
    assertThat(registry.getSessionInformation(session.getId()).getLastRequest().after(lastRequest)).isTrue();
}
Also used : SimpleRedirectSessionInformationExpiredStrategy(org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy) SessionRegistry(org.springframework.security.core.session.SessionRegistry) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) SessionRegistryImpl(org.springframework.security.core.session.SessionRegistryImpl) MockFilterChain(org.springframework.mock.web.MockFilterChain) FilterChain(jakarta.servlet.FilterChain) MockHttpSession(org.springframework.mock.web.MockHttpSession) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Date(java.util.Date) Test(org.junit.jupiter.api.Test)

Example 19 with SessionRegistry

use of org.springframework.security.core.session.SessionRegistry in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method doFilterWhenNoSessionInformationThenChainIsContinued.

@Test
public void doFilterWhenNoSessionInformationThenChainIsContinued() throws Exception {
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.setSession(new MockHttpSession());
    MockHttpServletResponse response = new MockHttpServletResponse();
    RedirectStrategy redirect = mock(RedirectStrategy.class);
    SessionRegistry registry = mock(SessionRegistry.class);
    String expiredUrl = "/expired";
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry, expiredUrl);
    filter.setRedirectStrategy(redirect);
    MockFilterChain chain = new MockFilterChain();
    filter.doFilter(request, response, chain);
    assertThat(chain.getRequest()).isNotNull();
}
Also used : SessionRegistry(org.springframework.security.core.session.SessionRegistry) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpSession(org.springframework.mock.web.MockHttpSession) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) ArgumentMatchers.anyString(org.mockito.ArgumentMatchers.anyString) RedirectStrategy(org.springframework.security.web.RedirectStrategy) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.jupiter.api.Test)

Aggregations

SessionRegistry (org.springframework.security.core.session.SessionRegistry)19 Test (org.junit.jupiter.api.Test)13 MockHttpSession (org.springframework.mock.web.MockHttpSession)11 ConcurrentSessionFilter (org.springframework.security.web.session.ConcurrentSessionFilter)11 MockFilterChain (org.springframework.mock.web.MockFilterChain)9 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)9 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)9 Date (java.util.Date)7 SessionInformation (org.springframework.security.core.session.SessionInformation)6 ArgumentMatchers.anyString (org.mockito.ArgumentMatchers.anyString)4 SessionRegistryImpl (org.springframework.security.core.session.SessionRegistryImpl)4 RedirectStrategy (org.springframework.security.web.RedirectStrategy)4 SimpleRedirectSessionInformationExpiredStrategy (org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy)4 FilterChain (jakarta.servlet.FilterChain)3 LogoutHandler (org.springframework.security.web.authentication.logout.LogoutHandler)2 SecurityContextLogoutHandler (org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler)2 SessionInformationExpiredStrategy (org.springframework.security.web.session.SessionInformationExpiredStrategy)2 HttpServletRequest (jakarta.servlet.http.HttpServletRequest)1 AuthenticationCredentialsNotFoundException (org.springframework.security.authentication.AuthenticationCredentialsNotFoundException)1 CompositeSessionAuthenticationStrategy (org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy)1