Search in sources :

Example 1 with SecurityContextRepository

use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.

the class SecurityContextConfigurer method configure.

@Override
@SuppressWarnings("unchecked")
public void configure(H http) throws Exception {
    SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
    if (securityContextRepository == null) {
        securityContextRepository = new HttpSessionSecurityContextRepository();
    }
    SecurityContextPersistenceFilter securityContextFilter = new SecurityContextPersistenceFilter(securityContextRepository);
    SessionManagementConfigurer<?> sessionManagement = http.getConfigurer(SessionManagementConfigurer.class);
    SessionCreationPolicy sessionCreationPolicy = sessionManagement == null ? null : sessionManagement.getSessionCreationPolicy();
    if (SessionCreationPolicy.ALWAYS == sessionCreationPolicy) {
        securityContextFilter.setForceEagerSessionCreation(true);
    }
    securityContextFilter = postProcess(securityContextFilter);
    http.addFilter(securityContextFilter);
}
Also used : SessionCreationPolicy(org.springframework.security.config.http.SessionCreationPolicy) HttpSessionSecurityContextRepository(org.springframework.security.web.context.HttpSessionSecurityContextRepository) SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) HttpSessionSecurityContextRepository(org.springframework.security.web.context.HttpSessionSecurityContextRepository) SecurityContextPersistenceFilter(org.springframework.security.web.context.SecurityContextPersistenceFilter)

Example 2 with SecurityContextRepository

use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.

the class SessionManagementConfigurer method init.

@Override
public void init(H http) throws Exception {
    SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
    boolean stateless = isStateless();
    if (securityContextRepository == null) {
        if (stateless) {
            http.setSharedObject(SecurityContextRepository.class, new NullSecurityContextRepository());
        } else {
            HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository();
            httpSecurityRepository.setDisableUrlRewriting(!this.enableSessionUrlRewriting);
            httpSecurityRepository.setAllowSessionCreation(isAllowSessionCreation());
            AuthenticationTrustResolver trustResolver = http.getSharedObject(AuthenticationTrustResolver.class);
            if (trustResolver != null) {
                httpSecurityRepository.setTrustResolver(trustResolver);
            }
            http.setSharedObject(SecurityContextRepository.class, httpSecurityRepository);
        }
    }
    RequestCache requestCache = http.getSharedObject(RequestCache.class);
    if (requestCache == null) {
        if (stateless) {
            http.setSharedObject(RequestCache.class, new NullRequestCache());
        }
    }
    http.setSharedObject(SessionAuthenticationStrategy.class, getSessionAuthenticationStrategy(http));
    http.setSharedObject(InvalidSessionStrategy.class, getInvalidSessionStrategy());
}
Also used : HttpSessionSecurityContextRepository(org.springframework.security.web.context.HttpSessionSecurityContextRepository) NullSecurityContextRepository(org.springframework.security.web.context.NullSecurityContextRepository) RequestCache(org.springframework.security.web.savedrequest.RequestCache) NullRequestCache(org.springframework.security.web.savedrequest.NullRequestCache) AuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver) NullSecurityContextRepository(org.springframework.security.web.context.NullSecurityContextRepository) HttpSessionSecurityContextRepository(org.springframework.security.web.context.HttpSessionSecurityContextRepository) SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) NullRequestCache(org.springframework.security.web.savedrequest.NullRequestCache)

Example 3 with SecurityContextRepository

use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.

the class SessionManagementFilterTests method strategyIsNotInvokedIfSecurityContextAlreadyExistsForRequest.

@Test
public void strategyIsNotInvokedIfSecurityContextAlreadyExistsForRequest() throws Exception {
    SecurityContextRepository repo = mock(SecurityContextRepository.class);
    SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
    // mock that repo contains a security context
    when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true);
    SessionManagementFilter filter = new SessionManagementFilter(repo, strategy);
    HttpServletRequest request = new MockHttpServletRequest();
    authenticateUser();
    filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
    verifyZeroInteractions(strategy);
}
Also used : MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) SessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 4 with SecurityContextRepository

use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.

the class SessionManagementFilterTests method strategyFailureInvokesFailureHandler.

@Test
public void strategyFailureInvokesFailureHandler() throws Exception {
    SecurityContextRepository repo = mock(SecurityContextRepository.class);
    // repo will return false to containsContext()
    SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
    AuthenticationFailureHandler failureHandler = mock(AuthenticationFailureHandler.class);
    SessionManagementFilter filter = new SessionManagementFilter(repo, strategy);
    filter.setAuthenticationFailureHandler(failureHandler);
    HttpServletRequest request = new MockHttpServletRequest();
    HttpServletResponse response = new MockHttpServletResponse();
    FilterChain fc = mock(FilterChain.class);
    authenticateUser();
    SessionAuthenticationException exception = new SessionAuthenticationException("Failure");
    doThrow(exception).when(strategy).onAuthentication(SecurityContextHolder.getContext().getAuthentication(), request, response);
    filter.doFilter(request, response, fc);
    verifyZeroInteractions(fc);
    verify(failureHandler).onAuthenticationFailure(request, response, exception);
}
Also used : MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) SessionAuthenticationException(org.springframework.security.web.authentication.session.SessionAuthenticationException) SessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) FilterChain(javax.servlet.FilterChain) MockFilterChain(org.springframework.mock.web.MockFilterChain) HttpServletResponse(javax.servlet.http.HttpServletResponse) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) AuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 5 with SecurityContextRepository

use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.

the class SessionManagementFilterTests method setTrustResolverNull.

@Test(expected = IllegalArgumentException.class)
public void setTrustResolverNull() {
    SecurityContextRepository repo = mock(SecurityContextRepository.class);
    SessionManagementFilter filter = new SessionManagementFilter(repo);
    filter.setTrustResolver(null);
}
Also used : SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) Test(org.junit.Test)

Aggregations

SecurityContextRepository (org.springframework.security.web.context.SecurityContextRepository)11 Test (org.junit.Test)8 MockFilterChain (org.springframework.mock.web.MockFilterChain)7 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)7 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)7 HttpServletRequest (javax.servlet.http.HttpServletRequest)6 SessionAuthenticationStrategy (org.springframework.security.web.authentication.session.SessionAuthenticationStrategy)5 AuthenticationTrustResolver (org.springframework.security.authentication.AuthenticationTrustResolver)3 HttpSessionSecurityContextRepository (org.springframework.security.web.context.HttpSessionSecurityContextRepository)3 FilterChain (javax.servlet.FilterChain)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 Authentication (org.springframework.security.core.Authentication)2 AuthenticationFailureHandler (org.springframework.security.web.authentication.AuthenticationFailureHandler)2 NullSecurityContextRepository (org.springframework.security.web.context.NullSecurityContextRepository)2 SessionCreationPolicy (org.springframework.security.config.http.SessionCreationPolicy)1 SimpleUrlAuthenticationFailureHandler (org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler)1 SessionAuthenticationException (org.springframework.security.web.authentication.session.SessionAuthenticationException)1 SecurityContextPersistenceFilter (org.springframework.security.web.context.SecurityContextPersistenceFilter)1 NullRequestCache (org.springframework.security.web.savedrequest.NullRequestCache)1 RequestCache (org.springframework.security.web.savedrequest.RequestCache)1