mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-15 06:43:32 +00:00
SEC-1318: Correct logic for checking combination of session-management attributes.
This commit is contained in:
parent
075e7a15ad
commit
1dc4bb112e
@ -213,12 +213,10 @@ class HttpConfigurationBuilder {
|
||||
}
|
||||
|
||||
if (!StringUtils.hasText(sessionFixationAttribute)) {
|
||||
if (StringUtils.hasText(sessionAuthStratRef)) {
|
||||
pc.getReaderContext().error(ATT_SESSION_FIXATION_PROTECTION + " attribute cannot be used" +
|
||||
" in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionCtrlElt));
|
||||
}
|
||||
|
||||
sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;
|
||||
} else if (StringUtils.hasText(sessionAuthStratRef)) {
|
||||
pc.getReaderContext().error(ATT_SESSION_FIXATION_PROTECTION + " attribute cannot be used" +
|
||||
" in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionCtrlElt));
|
||||
}
|
||||
|
||||
boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);
|
||||
|
@ -729,6 +729,17 @@ public class HttpSecurityBeanDefinitionParserTests {
|
||||
checkSessionRegistry();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void externalSessionStrategyIsSupported() throws Exception {
|
||||
setContext(
|
||||
"<http auto-config='true'>" +
|
||||
" <session-management session-authentication-strategy-ref='ss'/>" +
|
||||
"</http>" +
|
||||
"<b:bean id='ss' class='org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy'/>"
|
||||
+ AUTH_PROVIDER_XML);
|
||||
//session-authentication-strategy-ref
|
||||
}
|
||||
|
||||
@Test
|
||||
public void externalSessionRegistryBeanIsConfiguredCorrectly() throws Exception {
|
||||
setContext(
|
||||
|
Loading…
x
Reference in New Issue
Block a user