Search in sources :

Example 6 with SecurityContextRepository

use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.

the class SessionManagementFilterTests method newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated.

@Test
public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception {
    SecurityContextRepository repo = mock(SecurityContextRepository.class);
    SessionManagementFilter filter = new SessionManagementFilter(repo);
    HttpServletRequest request = new MockHttpServletRequest();
    String sessionId = request.getSession().getId();
    filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
    assertThat(request.getSession().getId()).isEqualTo(sessionId);
}
Also used : MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 7 with SecurityContextRepository

use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.

the class SessionManagementFilterTests method strategyIsInvokedIfUserIsNewlyAuthenticated.

@Test
public void strategyIsInvokedIfUserIsNewlyAuthenticated() throws Exception {
    SecurityContextRepository repo = mock(SecurityContextRepository.class);
    // repo will return false to containsContext()
    SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
    SessionManagementFilter filter = new SessionManagementFilter(repo, strategy);
    HttpServletRequest request = new MockHttpServletRequest();
    authenticateUser();
    filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
    verify(strategy).onAuthentication(any(Authentication.class), any(HttpServletRequest.class), any(HttpServletResponse.class));
    // Check that it is only applied once to the request
    filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
    verifyNoMoreInteractions(strategy);
}
Also used : MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) SessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) Authentication(org.springframework.security.core.Authentication) HttpServletResponse(javax.servlet.http.HttpServletResponse) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 8 with SecurityContextRepository

use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.

the class SessionManagementFilterTests method customAuthenticationTrustResolver.

@Test
public void customAuthenticationTrustResolver() throws Exception {
    AuthenticationTrustResolver trustResolver = mock(AuthenticationTrustResolver.class);
    SecurityContextRepository repo = mock(SecurityContextRepository.class);
    SessionManagementFilter filter = new SessionManagementFilter(repo);
    filter.setTrustResolver(trustResolver);
    HttpServletRequest request = new MockHttpServletRequest();
    authenticateUser();
    filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
    verify(trustResolver).isAnonymous(any(Authentication.class));
}
Also used : MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) HttpServletRequest(javax.servlet.http.HttpServletRequest) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) Authentication(org.springframework.security.core.Authentication) AuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver) SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 9 with SecurityContextRepository

use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.

the class SessionManagementConfigurer method configure.

@Override
public void configure(H http) throws Exception {
    SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
    SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository, getSessionAuthenticationStrategy(http));
    if (this.sessionAuthenticationErrorUrl != null) {
        sessionManagementFilter.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler(this.sessionAuthenticationErrorUrl));
    }
    InvalidSessionStrategy strategy = getInvalidSessionStrategy();
    if (strategy != null) {
        sessionManagementFilter.setInvalidSessionStrategy(strategy);
    }
    AuthenticationFailureHandler failureHandler = getSessionAuthenticationFailureHandler();
    if (failureHandler != null) {
        sessionManagementFilter.setAuthenticationFailureHandler(failureHandler);
    }
    AuthenticationTrustResolver trustResolver = http.getSharedObject(AuthenticationTrustResolver.class);
    if (trustResolver != null) {
        sessionManagementFilter.setTrustResolver(trustResolver);
    }
    sessionManagementFilter = postProcess(sessionManagementFilter);
    http.addFilter(sessionManagementFilter);
    if (isConcurrentSessionControlEnabled()) {
        ConcurrentSessionFilter concurrentSessionFilter = createConccurencyFilter(http);
        concurrentSessionFilter = postProcess(concurrentSessionFilter);
        http.addFilter(concurrentSessionFilter);
    }
}
Also used : SessionManagementFilter(org.springframework.security.web.session.SessionManagementFilter) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) SimpleRedirectInvalidSessionStrategy(org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy) InvalidSessionStrategy(org.springframework.security.web.session.InvalidSessionStrategy) AuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver) NullSecurityContextRepository(org.springframework.security.web.context.NullSecurityContextRepository) HttpSessionSecurityContextRepository(org.springframework.security.web.context.HttpSessionSecurityContextRepository) SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) SimpleUrlAuthenticationFailureHandler(org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler) AuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler) SimpleUrlAuthenticationFailureHandler(org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler)

Example 10 with SecurityContextRepository

use of org.springframework.security.web.context.SecurityContextRepository in project spring-security by spring-projects.

the class SessionManagementFilterTests method responseIsRedirectedToTimeoutUrlIfSetAndSessionIsInvalid.

@Test
public void responseIsRedirectedToTimeoutUrlIfSetAndSessionIsInvalid() throws Exception {
    SecurityContextRepository repo = mock(SecurityContextRepository.class);
    // repo will return false to containsContext()
    SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class);
    SessionManagementFilter filter = new SessionManagementFilter(repo, strategy);
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.setRequestedSessionId("xxx");
    request.setRequestedSessionIdValid(false);
    MockHttpServletResponse response = new MockHttpServletResponse();
    filter.doFilter(request, response, new MockFilterChain());
    assertThat(response.getRedirectedUrl()).isNull();
    // Now set a redirect URL
    request = new MockHttpServletRequest();
    request.setRequestedSessionId("xxx");
    request.setRequestedSessionIdValid(false);
    SimpleRedirectInvalidSessionStrategy iss = new SimpleRedirectInvalidSessionStrategy("/timedOut");
    iss.setCreateNewSession(true);
    filter.setInvalidSessionStrategy(iss);
    FilterChain fc = mock(FilterChain.class);
    filter.doFilter(request, response, fc);
    verifyZeroInteractions(fc);
    assertThat(response.getRedirectedUrl()).isEqualTo("/timedOut");
}
Also used : SessionAuthenticationStrategy(org.springframework.security.web.authentication.session.SessionAuthenticationStrategy) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) FilterChain(javax.servlet.FilterChain) MockFilterChain(org.springframework.mock.web.MockFilterChain) SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Aggregations

SecurityContextRepository (org.springframework.security.web.context.SecurityContextRepository)11 Test (org.junit.Test)8 MockFilterChain (org.springframework.mock.web.MockFilterChain)7 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)7 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)7 HttpServletRequest (javax.servlet.http.HttpServletRequest)6 SessionAuthenticationStrategy (org.springframework.security.web.authentication.session.SessionAuthenticationStrategy)5 AuthenticationTrustResolver (org.springframework.security.authentication.AuthenticationTrustResolver)3 HttpSessionSecurityContextRepository (org.springframework.security.web.context.HttpSessionSecurityContextRepository)3 FilterChain (javax.servlet.FilterChain)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 Authentication (org.springframework.security.core.Authentication)2 AuthenticationFailureHandler (org.springframework.security.web.authentication.AuthenticationFailureHandler)2 NullSecurityContextRepository (org.springframework.security.web.context.NullSecurityContextRepository)2 SessionCreationPolicy (org.springframework.security.config.http.SessionCreationPolicy)1 SimpleUrlAuthenticationFailureHandler (org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler)1 SessionAuthenticationException (org.springframework.security.web.authentication.session.SessionAuthenticationException)1 SecurityContextPersistenceFilter (org.springframework.security.web.context.SecurityContextPersistenceFilter)1 NullRequestCache (org.springframework.security.web.savedrequest.NullRequestCache)1 RequestCache (org.springframework.security.web.savedrequest.RequestCache)1