use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.
the class SessionManagementFilterTests method newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated.
@Test
public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
SessionManagementFilter filter = new SessionManagementFilter(repo);
HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId();
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
assertThat(request.getSession().getId()).isEqualTo(sessionId);
}
use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.
the class SessionManagementFilterTests method strategyIsInvokedIfUserIsNewlyAuthenticated.
@Test
public void strategyIsInvokedIfUserIsNewlyAuthenticated() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext()
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
SessionManagementFilter filter = new SessionManagementFilter(repo, strategy);
HttpServletRequest request = new MockHttpServletRequest();
authenticateUser();
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
verify(strategy).onAuthentication(any(Authentication.class), any(HttpServletRequest.class), any(HttpServletResponse.class));
// Check that it is only applied once to the request
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
verifyNoMoreInteractions(strategy);
}
use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.
the class SessionManagementFilterTests method customAuthenticationTrustResolver.
@Test
public void customAuthenticationTrustResolver() throws Exception {
AuthenticationTrustResolver trustResolver = mock(AuthenticationTrustResolver.class);
SecurityContextRepository repo = mock(SecurityContextRepository.class);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setTrustResolver(trustResolver);
HttpServletRequest request = new MockHttpServletRequest();
authenticateUser();
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
verify(trustResolver).isAnonymous(any(Authentication.class));
}
use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.
the class SessionManagementConfigurer method configure.
@Override
public void configure(H http) throws Exception {
SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository, getSessionAuthenticationStrategy(http));
if (this.sessionAuthenticationErrorUrl != null) {
sessionManagementFilter.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler(this.sessionAuthenticationErrorUrl));
}
InvalidSessionStrategy strategy = getInvalidSessionStrategy();
if (strategy != null) {
sessionManagementFilter.setInvalidSessionStrategy(strategy);
}
AuthenticationFailureHandler failureHandler = getSessionAuthenticationFailureHandler();
if (failureHandler != null) {
sessionManagementFilter.setAuthenticationFailureHandler(failureHandler);
}
AuthenticationTrustResolver trustResolver = http.getSharedObject(AuthenticationTrustResolver.class);
if (trustResolver != null) {
sessionManagementFilter.setTrustResolver(trustResolver);
}
sessionManagementFilter = postProcess(sessionManagementFilter);
http.addFilter(sessionManagementFilter);
if (isConcurrentSessionControlEnabled()) {
ConcurrentSessionFilter concurrentSessionFilter = createConccurencyFilter(http);
concurrentSessionFilter = postProcess(concurrentSessionFilter);
http.addFilter(concurrentSessionFilter);
}
}
use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.
the class SessionManagementFilterTests method responseIsRedirectedToTimeoutUrlIfSetAndSessionIsInvalid.
@Test
public void responseIsRedirectedToTimeoutUrlIfSetAndSessionIsInvalid() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext()
SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
SessionManagementFilter filter = new SessionManagementFilter(repo, strategy);
MockHttpServletRequest request = new MockHttpServletRequest();
request.setRequestedSessionId("xxx");
request.setRequestedSessionIdValid(false);
MockHttpServletResponse response = new MockHttpServletResponse();
filter.doFilter(request, response, new MockFilterChain());
assertThat(response.getRedirectedUrl()).isNull();
// Now set a redirect URL
request = new MockHttpServletRequest();
request.setRequestedSessionId("xxx");
request.setRequestedSessionIdValid(false);
SimpleRedirectInvalidSessionStrategy iss = new SimpleRedirectInvalidSessionStrategy("/timedOut");
iss.setCreateNewSession(true);
filter.setInvalidSessionStrategy(iss);
FilterChain fc = mock(FilterChain.class);
filter.doFilter(request, response, fc);
verifyZeroInteractions(fc);
assertThat(response.getRedirectedUrl()).isEqualTo("/timedOut");
}
Aggregations