SEC-2156: Only configures COOKIE instead of SSL
Configuring SSL is only allowed for SSL enabled applications and should be configured on its own (not in conjuction with other modes).
This commit is contained in:
parent
cf0fdc2d66
commit
04b7d5ca08
|
@ -212,19 +212,15 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Determines how a session should be tracked. By default, the following
|
* Determines how a session should be tracked. By default,
|
||||||
* modes are used:
|
* {@link SessionTrackingMode#COOKIE} is used.
|
||||||
*
|
|
||||||
* <ul>
|
|
||||||
* <li> {@link SessionTrackingMode#COOKIE}</li>
|
|
||||||
* <li> {@link SessionTrackingMode#SSL}</li>
|
|
||||||
* </ul>
|
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
* Note that {@link SessionTrackingMode#URL} is intentionally omitted to
|
* Note that {@link SessionTrackingMode#URL} is intentionally omitted to
|
||||||
* help protected against <a
|
* help protected against <a
|
||||||
* href="http://en.wikipedia.org/wiki/Session_fixation">session fixation
|
* href="http://en.wikipedia.org/wiki/Session_fixation">session fixation
|
||||||
* attacks</a>.
|
* attacks</a>. {@link SessionTrackingMode#SSL} is omitted because SSL
|
||||||
|
* configuration is required for this to work.
|
||||||
* </p>
|
* </p>
|
||||||
*
|
*
|
||||||
* <p>
|
* <p>
|
||||||
|
@ -236,7 +232,6 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
|
||||||
protected Set<SessionTrackingMode> getSessionTrackingModes() {
|
protected Set<SessionTrackingMode> getSessionTrackingModes() {
|
||||||
Set<SessionTrackingMode> modes = new HashSet<SessionTrackingMode>();
|
Set<SessionTrackingMode> modes = new HashSet<SessionTrackingMode>();
|
||||||
modes.add(SessionTrackingMode.COOKIE);
|
modes.add(SessionTrackingMode.COOKIE);
|
||||||
modes.add(SessionTrackingMode.SSL);
|
|
||||||
return modes;
|
return modes;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -248,7 +248,7 @@ class AbstractSecurityWebApplicationInitializerTests extends Specification {
|
||||||
new AbstractSecurityWebApplicationInitializer(){ }.onStartup(context)
|
new AbstractSecurityWebApplicationInitializer(){ }.onStartup(context)
|
||||||
then:
|
then:
|
||||||
1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
|
1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
|
||||||
1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 2 && modes.containsAll([SessionTrackingMode.COOKIE, SessionTrackingMode.SSL]) })
|
1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
|
||||||
}
|
}
|
||||||
|
|
||||||
def "sessionTrackingModes override"() {
|
def "sessionTrackingModes override"() {
|
||||||
|
@ -259,12 +259,12 @@ class AbstractSecurityWebApplicationInitializerTests extends Specification {
|
||||||
new AbstractSecurityWebApplicationInitializer(){
|
new AbstractSecurityWebApplicationInitializer(){
|
||||||
@Override
|
@Override
|
||||||
public Set<SessionTrackingMode> getSessionTrackingModes() {
|
public Set<SessionTrackingMode> getSessionTrackingModes() {
|
||||||
return [SessionTrackingMode.COOKIE]
|
return [SessionTrackingMode.SSL]
|
||||||
}
|
}
|
||||||
}.onStartup(context)
|
}.onStartup(context)
|
||||||
then:
|
then:
|
||||||
1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
|
1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
|
||||||
1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
|
1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.SSL]) })
|
||||||
}
|
}
|
||||||
|
|
||||||
def "appendFilters filters with null"() {
|
def "appendFilters filters with null"() {
|
||||||
|
|
Loading…
Reference in New Issue