Search in sources :

Example 6 with ConcurrentSessionFilter

use of org.springframework.security.web.session.ConcurrentSessionFilter in project spring-security by spring-projects.

the class SessionManagementConfigurer method createConccurencyFilter.

private ConcurrentSessionFilter createConccurencyFilter(H http) {
    SessionInformationExpiredStrategy expireStrategy = getExpiredSessionStrategy();
    SessionRegistry sessionRegistry = getSessionRegistry(http);
    if (expireStrategy == null) {
        return new ConcurrentSessionFilter(sessionRegistry);
    }
    return new ConcurrentSessionFilter(sessionRegistry, expireStrategy);
}
Also used : SessionInformationExpiredStrategy(org.springframework.security.web.session.SessionInformationExpiredStrategy) SimpleRedirectSessionInformationExpiredStrategy(org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy) SessionRegistry(org.springframework.security.core.session.SessionRegistry) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter)

Example 7 with ConcurrentSessionFilter

use of org.springframework.security.web.session.ConcurrentSessionFilter in project spring-security by spring-projects.

the class SessionManagementConfigurer method configure.

@Override
public void configure(H http) throws Exception {
    SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
    SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository, getSessionAuthenticationStrategy(http));
    if (this.sessionAuthenticationErrorUrl != null) {
        sessionManagementFilter.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler(this.sessionAuthenticationErrorUrl));
    }
    InvalidSessionStrategy strategy = getInvalidSessionStrategy();
    if (strategy != null) {
        sessionManagementFilter.setInvalidSessionStrategy(strategy);
    }
    AuthenticationFailureHandler failureHandler = getSessionAuthenticationFailureHandler();
    if (failureHandler != null) {
        sessionManagementFilter.setAuthenticationFailureHandler(failureHandler);
    }
    AuthenticationTrustResolver trustResolver = http.getSharedObject(AuthenticationTrustResolver.class);
    if (trustResolver != null) {
        sessionManagementFilter.setTrustResolver(trustResolver);
    }
    sessionManagementFilter = postProcess(sessionManagementFilter);
    http.addFilter(sessionManagementFilter);
    if (isConcurrentSessionControlEnabled()) {
        ConcurrentSessionFilter concurrentSessionFilter = createConccurencyFilter(http);
        concurrentSessionFilter = postProcess(concurrentSessionFilter);
        http.addFilter(concurrentSessionFilter);
    }
}
Also used : SessionManagementFilter(org.springframework.security.web.session.SessionManagementFilter) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) SimpleRedirectInvalidSessionStrategy(org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy) InvalidSessionStrategy(org.springframework.security.web.session.InvalidSessionStrategy) AuthenticationTrustResolver(org.springframework.security.authentication.AuthenticationTrustResolver) NullSecurityContextRepository(org.springframework.security.web.context.NullSecurityContextRepository) HttpSessionSecurityContextRepository(org.springframework.security.web.context.HttpSessionSecurityContextRepository) SecurityContextRepository(org.springframework.security.web.context.SecurityContextRepository) SimpleUrlAuthenticationFailureHandler(org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler) AuthenticationFailureHandler(org.springframework.security.web.authentication.AuthenticationFailureHandler) SimpleUrlAuthenticationFailureHandler(org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler)

Example 8 with ConcurrentSessionFilter

use of org.springframework.security.web.session.ConcurrentSessionFilter in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method lastRequestTimeUpdatesCorrectly.

@Test
public void lastRequestTimeUpdatesCorrectly() throws Exception {
    // Setup our HTTP request
    MockHttpServletRequest request = new MockHttpServletRequest();
    MockHttpSession session = new MockHttpSession();
    request.setSession(session);
    MockHttpServletResponse response = new MockHttpServletResponse();
    FilterChain fc = mock(FilterChain.class);
    // Setup our test fixture
    SessionRegistry registry = new SessionRegistryImpl();
    registry.registerNewSession(session.getId(), "principal");
    SimpleRedirectSessionInformationExpiredStrategy expiredSessionStrategy = new SimpleRedirectSessionInformationExpiredStrategy("/expired.jsp");
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry, expiredSessionStrategy);
    Date lastRequest = registry.getSessionInformation(session.getId()).getLastRequest();
    Thread.sleep(1000);
    filter.doFilter(request, response, fc);
    verify(fc).doFilter(request, response);
    assertThat(registry.getSessionInformation(session.getId()).getLastRequest().after(lastRequest)).isTrue();
}
Also used : SimpleRedirectSessionInformationExpiredStrategy(org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy) SessionRegistry(org.springframework.security.core.session.SessionRegistry) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) SessionRegistryImpl(org.springframework.security.core.session.SessionRegistryImpl) FilterChain(javax.servlet.FilterChain) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpSession(org.springframework.mock.web.MockHttpSession) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Date(java.util.Date) Test(org.junit.Test)

Example 9 with ConcurrentSessionFilter

use of org.springframework.security.web.session.ConcurrentSessionFilter in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method doFilterWhenNoSessionInformationThenChainIsContinued.

@Test
public void doFilterWhenNoSessionInformationThenChainIsContinued() throws Exception {
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.setSession(new MockHttpSession());
    MockHttpServletResponse response = new MockHttpServletResponse();
    RedirectStrategy redirect = mock(RedirectStrategy.class);
    SessionRegistry registry = mock(SessionRegistry.class);
    String expiredUrl = "/expired";
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry, expiredUrl);
    filter.setRedirectStrategy(redirect);
    MockFilterChain chain = new MockFilterChain();
    filter.doFilter(request, response, chain);
    assertThat(chain.getRequest()).isNotNull();
}
Also used : SessionRegistry(org.springframework.security.core.session.SessionRegistry) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpSession(org.springframework.mock.web.MockHttpSession) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) Matchers.anyString(org.mockito.Matchers.anyString) RedirectStrategy(org.springframework.security.web.RedirectStrategy) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 10 with ConcurrentSessionFilter

use of org.springframework.security.web.session.ConcurrentSessionFilter in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method setLogoutHandlersWhenEmptyThenThrowsException.

@Test(expected = IllegalArgumentException.class)
public void setLogoutHandlersWhenEmptyThenThrowsException() {
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(new SessionRegistryImpl());
    filter.setLogoutHandlers(new LogoutHandler[0]);
}
Also used : SessionRegistryImpl(org.springframework.security.core.session.SessionRegistryImpl) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) Test(org.junit.Test)

Aggregations

ConcurrentSessionFilter (org.springframework.security.web.session.ConcurrentSessionFilter)13 Test (org.junit.Test)11 SessionRegistry (org.springframework.security.core.session.SessionRegistry)10 MockFilterChain (org.springframework.mock.web.MockFilterChain)9 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)9 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)9 MockHttpSession (org.springframework.mock.web.MockHttpSession)8 Date (java.util.Date)6 SessionInformation (org.springframework.security.core.session.SessionInformation)5 SessionRegistryImpl (org.springframework.security.core.session.SessionRegistryImpl)5 Matchers.anyString (org.mockito.Matchers.anyString)4 RedirectStrategy (org.springframework.security.web.RedirectStrategy)4 FilterChain (javax.servlet.FilterChain)3 SimpleRedirectSessionInformationExpiredStrategy (org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy)3 SecurityContextLogoutHandler (org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 AuthenticationTrustResolver (org.springframework.security.authentication.AuthenticationTrustResolver)1 Authentication (org.springframework.security.core.Authentication)1 AuthenticationFailureHandler (org.springframework.security.web.authentication.AuthenticationFailureHandler)1 SimpleUrlAuthenticationFailureHandler (org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler)1