Search in sources :

Example 11 with ConcurrentSessionFilter

use of org.springframework.security.web.session.ConcurrentSessionFilter in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method detectsExpiredSessions.

@Test
public void detectsExpiredSessions() throws Exception {
    // Setup our HTTP request
    MockHttpServletRequest request = new MockHttpServletRequest();
    MockHttpSession session = new MockHttpSession();
    request.setSession(session);
    MockHttpServletResponse response = new MockHttpServletResponse();
    SessionRegistry registry = new SessionRegistryImpl();
    registry.registerNewSession(session.getId(), "principal");
    registry.getSessionInformation(session.getId()).expireNow();
    // Setup our test fixture and registry to want this session to be expired
    SimpleRedirectSessionInformationExpiredStrategy expiredSessionStrategy = new SimpleRedirectSessionInformationExpiredStrategy("/expired.jsp");
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry, expiredSessionStrategy);
    filter.setLogoutHandlers(new LogoutHandler[] { new SecurityContextLogoutHandler() });
    filter.afterPropertiesSet();
    FilterChain fc = mock(FilterChain.class);
    filter.doFilter(request, response, fc);
    // Expect that the filter chain will not be invoked, as we redirect to expiredUrl
    verifyZeroInteractions(fc);
    assertThat(response.getRedirectedUrl()).isEqualTo("/expired.jsp");
}
Also used : SecurityContextLogoutHandler(org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler) SimpleRedirectSessionInformationExpiredStrategy(org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy) SessionRegistry(org.springframework.security.core.session.SessionRegistry) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) SessionRegistryImpl(org.springframework.security.core.session.SessionRegistryImpl) FilterChain(javax.servlet.FilterChain) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpSession(org.springframework.mock.web.MockHttpSession) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Test(org.junit.Test)

Example 12 with ConcurrentSessionFilter

use of org.springframework.security.web.session.ConcurrentSessionFilter in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method doFilterWhenNoExpiredUrlThenResponseWritten.

@Test
public void doFilterWhenNoExpiredUrlThenResponseWritten() throws Exception {
    MockHttpServletRequest request = new MockHttpServletRequest();
    MockHttpSession session = new MockHttpSession();
    request.setSession(session);
    MockHttpServletResponse response = new MockHttpServletResponse();
    SessionRegistry registry = mock(SessionRegistry.class);
    SessionInformation information = new SessionInformation("user", "sessionId", new Date(System.currentTimeMillis() - 1000));
    information.expireNow();
    when(registry.getSessionInformation(anyString())).thenReturn(information);
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry);
    filter.doFilter(request, response, new MockFilterChain());
    assertThat(response.getContentAsString()).contains("This session has been expired (possibly due to multiple concurrent logins being attempted as the same user).");
}
Also used : SessionInformation(org.springframework.security.core.session.SessionInformation) SessionRegistry(org.springframework.security.core.session.SessionRegistry) MockHttpServletRequest(org.springframework.mock.web.MockHttpServletRequest) MockHttpSession(org.springframework.mock.web.MockHttpSession) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) MockFilterChain(org.springframework.mock.web.MockFilterChain) MockHttpServletResponse(org.springframework.mock.web.MockHttpServletResponse) Date(java.util.Date) Test(org.junit.Test)

Example 13 with ConcurrentSessionFilter

use of org.springframework.security.web.session.ConcurrentSessionFilter in project spring-security by spring-projects.

the class ConcurrentSessionFilterTests method setLogoutHandlersWhenNullThenThrowsException.

@Test(expected = IllegalArgumentException.class)
public void setLogoutHandlersWhenNullThenThrowsException() {
    ConcurrentSessionFilter filter = new ConcurrentSessionFilter(new SessionRegistryImpl());
    filter.setLogoutHandlers(null);
}
Also used : SessionRegistryImpl(org.springframework.security.core.session.SessionRegistryImpl) ConcurrentSessionFilter(org.springframework.security.web.session.ConcurrentSessionFilter) Test(org.junit.Test)

Aggregations

ConcurrentSessionFilter (org.springframework.security.web.session.ConcurrentSessionFilter)13 Test (org.junit.Test)11 SessionRegistry (org.springframework.security.core.session.SessionRegistry)10 MockFilterChain (org.springframework.mock.web.MockFilterChain)9 MockHttpServletRequest (org.springframework.mock.web.MockHttpServletRequest)9 MockHttpServletResponse (org.springframework.mock.web.MockHttpServletResponse)9 MockHttpSession (org.springframework.mock.web.MockHttpSession)8 Date (java.util.Date)6 SessionInformation (org.springframework.security.core.session.SessionInformation)5 SessionRegistryImpl (org.springframework.security.core.session.SessionRegistryImpl)5 Matchers.anyString (org.mockito.Matchers.anyString)4 RedirectStrategy (org.springframework.security.web.RedirectStrategy)4 FilterChain (javax.servlet.FilterChain)3 SimpleRedirectSessionInformationExpiredStrategy (org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy)3 SecurityContextLogoutHandler (org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)1 AuthenticationTrustResolver (org.springframework.security.authentication.AuthenticationTrustResolver)1 Authentication (org.springframework.security.core.Authentication)1 AuthenticationFailureHandler (org.springframework.security.web.authentication.AuthenticationFailureHandler)1 SimpleUrlAuthenticationFailureHandler (org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler)1