Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-27 14:22:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-689: Updated session fixation protection namespace support to set session registry on SessionFixationProtectionFilter.

Browse Source
This commit is contained in:
Luke Taylor 2008-03-26 14:51:16 +00:00
parent eeb14b3965
commit 1b8a3c5673
2 changed files with 24 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
core/src/main/java/org/springframework/security/config/HttpSecurityBeanDefinitionParser.java
View File

@ -116,21 +116,6 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
httpScif.getPropertyValues().addPropertyValue("forceEagerSessionCreation", Boolean.FALSE); httpScif.getPropertyValues().addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
} }
String sessionFixationAttribute = element.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
if(!StringUtils.hasText(sessionFixationAttribute)) {
sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;
}
if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) {
BeanDefinitionBuilder sessionFixationFilter =
BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionFilter.class);
sessionFixationFilter.addPropertyValue("migrateSessionAttributes",
Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
parserContext.getRegistry().registerBeanDefinition(BeanIds.SESSION_FIXATION_PROTECTION_FILTER,
sessionFixationFilter.getBeanDefinition());
}
BeanDefinitionBuilder filterSecurityInterceptorBuilder BeanDefinitionBuilder filterSecurityInterceptorBuilder
= BeanDefinitionBuilder.rootBeanDefinition(FilterSecurityInterceptor.class); = BeanDefinitionBuilder.rootBeanDefinition(FilterSecurityInterceptor.class);
@ -222,6 +207,24 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
new ConcurrentSessionsBeanDefinitionParser().parse(sessionControlElt, parserContext); new ConcurrentSessionsBeanDefinitionParser().parse(sessionControlElt, parserContext);
} }
String sessionFixationAttribute = element.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
if(!StringUtils.hasText(sessionFixationAttribute)) {
sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;
}
if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) {
BeanDefinitionBuilder sessionFixationFilter =
BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionFilter.class);
sessionFixationFilter.addPropertyValue("migrateSessionAttributes",
Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
if (sessionControlElt != null) {
sessionFixationFilter.addPropertyReference("sessionRegistry", BeanIds.SESSION_REGISTRY);
}
parserContext.getRegistry().registerBeanDefinition(BeanIds.SESSION_FIXATION_PROTECTION_FILTER,
sessionFixationFilter.getBeanDefinition());
}
boolean autoConfig = false; boolean autoConfig = false;
if ("true".equals(element.getAttribute(ATT_AUTO_CONFIG))) { if ("true".equals(element.getAttribute(ATT_AUTO_CONFIG))) {
autoConfig = true; autoConfig = true;

6
core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java
View File

@ -80,7 +80,11 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
this.migrateSessionAttributes = migrateSessionAttributes; this.migrateSessionAttributes = migrateSessionAttributes;
} }
public int getOrder() { public void setSessionRegistry(SessionRegistry sessionRegistry) {
this.sessionRegistry = sessionRegistry;
}
public int getOrder() {
return FilterChainOrder.SESSION_FIXATION_FILTER; return FilterChainOrder.SESSION_FIXATION_FILTER;
} }