use of org.springframework.security.web.authentication.session.SessionAuthenticationException in project spring-security by spring-projects.
the class SessionManagementFilterTests method strategyFailureInvokesFailureHandler.
@Test
public void strategyFailureInvokesFailureHandler() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext()
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
AuthenticationFailureHandler failureHandler = mock(AuthenticationFailureHandler.class);
SessionManagementFilter filter = new SessionManagementFilter(repo, strategy);
filter.setAuthenticationFailureHandler(failureHandler);
HttpServletRequest request = new MockHttpServletRequest();
HttpServletResponse response = new MockHttpServletResponse();
FilterChain fc = mock(FilterChain.class);
authenticateUser();
SessionAuthenticationException exception = new SessionAuthenticationException("Failure");
willThrow(exception).given(strategy).onAuthentication(SecurityContextHolder.getContext().getAuthentication(), request, response);
filter.doFilter(request, response, fc);
verifyZeroInteractions(fc);
verify(failureHandler).onAuthenticationFailure(request, response, exception);
}
use of org.springframework.security.web.authentication.session.SessionAuthenticationException in project spring-security by spring-projects.
the class SessionManagementFilter method doFilter.
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;
if (request.getAttribute(FILTER_APPLIED) != null) {
chain.doFilter(request, response);
return;
}
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
if (!securityContextRepository.containsContext(request)) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && !trustResolver.isAnonymous(authentication)) {
// session strategy
try {
sessionAuthenticationStrategy.onAuthentication(authentication, request, response);
} catch (SessionAuthenticationException e) {
// The session strategy can reject the authentication
logger.debug("SessionAuthenticationStrategy rejected the authentication object", e);
SecurityContextHolder.clearContext();
failureHandler.onAuthenticationFailure(request, response, e);
return;
}
// Eagerly save the security context to make it available for any possible
// re-entrant
// requests which may occur before the current request completes.
// SEC-1396.
securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
} else {
// timeout
if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
if (logger.isDebugEnabled()) {
logger.debug("Requested session ID " + request.getRequestedSessionId() + " is invalid.");
}
if (invalidSessionStrategy != null) {
invalidSessionStrategy.onInvalidSessionDetected(request, response);
return;
}
}
}
}
chain.doFilter(request, response);
}
use of org.springframework.security.web.authentication.session.SessionAuthenticationException in project molgenis by molgenis.
the class AuthenticationAuthoritiesUpdaterImpl method updateAuthentication.
@Override
public Authentication updateAuthentication(Authentication authentication, List<GrantedAuthority> updatedAuthorities) {
Authentication newAuthentication;
if (authentication instanceof TwoFactorAuthenticationToken) {
TwoFactorAuthenticationToken twoFactorAuthenticationToken = (TwoFactorAuthenticationToken) authentication;
newAuthentication = new TwoFactorAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), updatedAuthorities, twoFactorAuthenticationToken.getVerificationCode(), twoFactorAuthenticationToken.getSecretKey());
} else if (authentication instanceof SystemSecurityToken) {
newAuthentication = authentication;
} else if (authentication instanceof RestAuthenticationToken) {
RestAuthenticationToken restAuthenticationToken = (RestAuthenticationToken) authentication;
newAuthentication = new RestAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), updatedAuthorities, restAuthenticationToken.getToken());
} else if (authentication instanceof RecoveryAuthenticationToken) {
RecoveryAuthenticationToken recoveryAuthenticationToken = (RecoveryAuthenticationToken) authentication;
newAuthentication = new RecoveryAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), updatedAuthorities, recoveryAuthenticationToken.getRecoveryCode());
} else if (authentication instanceof UsernamePasswordAuthenticationToken) {
newAuthentication = new UsernamePasswordAuthenticationToken(authentication.getPrincipal(), authentication.getCredentials(), updatedAuthorities);
} else if (authentication instanceof RunAsUserToken) {
RunAsUserToken runAsUserToken = (RunAsUserToken) authentication;
newAuthentication = new RunAsUserTokenDecorator(runAsUserToken, updatedAuthorities);
} else if (authentication instanceof AnonymousAuthenticationToken) {
AnonymousAuthenticationToken anonymousAuthenticationToken = (AnonymousAuthenticationToken) authentication;
newAuthentication = new AnonymousAuthenticationTokenDecorator(anonymousAuthenticationToken, updatedAuthorities);
} else {
throw new SessionAuthenticationException(format("Unknown authentication type '%s'", authentication.getClass().getSimpleName()));
}
return newAuthentication;
}
use of org.springframework.security.web.authentication.session.SessionAuthenticationException in project BroadleafCommerce by BroadleafCommerce.
the class AdminSecurityFilter method doFilter.
@Override
public void doFilter(ServletRequest baseRequest, ServletResponse baseResponse, FilterChain chain) throws IOException, ServletException {
try {
super.doFilter(baseRequest, baseResponse, chain);
} catch (ServletException e) {
if (e.getCause() instanceof StaleStateServiceException) {
LOG.debug("Stale state detected", e);
((HttpServletResponse) baseResponse).setStatus(HttpServletResponse.SC_CONFLICT);
baseResponse.getWriter().write("Stale State Detected\n");
baseResponse.getWriter().write(e.getMessage() + "\n");
} else if (e.getCause() instanceof ServiceException) {
HttpServletRequest baseHttpRequest = (HttpServletRequest) baseRequest;
// if authentication is null and CSRF token is invalid, must be session time out
if (SecurityContextHolder.getContext().getAuthentication() == null && failureHandler != null) {
baseHttpRequest.setAttribute("sessionTimeout", true);
failureHandler.onAuthenticationFailure((HttpServletRequest) baseRequest, (HttpServletResponse) baseResponse, new SessionAuthenticationException("Session Time Out"));
} else {
throw e;
}
} else {
throw e;
}
}
}
use of org.springframework.security.web.authentication.session.SessionAuthenticationException in project spring-security by spring-projects.
the class SessionManagementFilter method doFilter.
private void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
if (request.getAttribute(FILTER_APPLIED) != null) {
chain.doFilter(request, response);
return;
}
request.setAttribute(FILTER_APPLIED, Boolean.TRUE);
if (!this.securityContextRepository.containsContext(request)) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
if (authentication != null && !this.trustResolver.isAnonymous(authentication)) {
// session strategy
try {
this.sessionAuthenticationStrategy.onAuthentication(authentication, request, response);
} catch (SessionAuthenticationException ex) {
// The session strategy can reject the authentication
this.logger.debug("SessionAuthenticationStrategy rejected the authentication object", ex);
SecurityContextHolder.clearContext();
this.failureHandler.onAuthenticationFailure(request, response, ex);
return;
}
// Eagerly save the security context to make it available for any possible
// re-entrant requests which may occur before the current request
// completes. SEC-1396.
this.securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);
} else {
// timeout
if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
if (this.logger.isDebugEnabled()) {
this.logger.debug(LogMessage.format("Request requested invalid session id %s", request.getRequestedSessionId()));
}
if (this.invalidSessionStrategy != null) {
this.invalidSessionStrategy.onInvalidSessionDetected(request, response);
return;
}
}
}
}
chain.doFilter(request, response);
}
Aggregations