From 1de810a565d9d10f01755712e5844f4f847cdcbe Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Wed, 17 Aug 2022 10:09:37 -0500
Subject: [PATCH] Add DeferHttpSession*Tests

Closes gh-6125
---
 .../DeferHttpSessionJavaConfigTests.java      | 120 ++++++++++++++++++
 .../http/DeferHttpSessionXmlConfigTests.java  |  81 ++++++++++++
 .../http/DeferHttpSessionTests-Explicit.xml   |  46 +++++++
 3 files changed, 247 insertions(+)
 create mode 100644 config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
 create mode 100644 config/src/test/java/org/springframework/security/config/http/DeferHttpSessionXmlConfigTests.java
 create mode 100644 config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml

diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
new file mode 100644
index 0000000000..1f24cf24ed
--- /dev/null
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/DeferHttpSessionJavaConfigTests.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.annotation.web.configuration;
+
+import javax.servlet.FilterChain;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.test.SpringTestContext;
+import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository;
+import org.springframework.security.web.csrf.LazyCsrfTokenRepository;
+import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+
+import static org.mockito.ArgumentMatchers.anyBoolean;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
+
+@ExtendWith(SpringTestContextExtension.class)
+public class DeferHttpSessionJavaConfigTests {
+
+	@Autowired
+	private FilterChainProxy springSecurityFilterChain;
+
+	@Autowired
+	private Service service;
+
+	public final SpringTestContext spring = new SpringTestContext(this);
+
+	@Test
+	public void explicitDeferHttpSession() throws Exception {
+		this.spring.register(DeferHttpSessionConfig.class).autowire();
+
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
+		MockHttpServletRequest mockRequest = spy(request);
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		FilterChain chain = (httpRequest, httpResponse) -> httpResponse.getWriter().write(this.service.getMessage());
+
+		this.springSecurityFilterChain.doFilter(mockRequest, response, chain);
+
+		verify(mockRequest, never()).getSession(anyBoolean());
+		verify(mockRequest, never()).getSession();
+	}
+
+	@Configuration
+	@EnableWebSecurity
+	@EnableMethodSecurity(prePostEnabled = true)
+	static class DeferHttpSessionConfig {
+
+		@Bean
+		Service service() {
+			return new Service();
+		}
+
+		@Bean
+		DefaultSecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
+			LazyCsrfTokenRepository csrfRepository = new LazyCsrfTokenRepository(new HttpSessionCsrfTokenRepository());
+			csrfRepository.setDeferLoadToken(true);
+			HttpSessionRequestCache requestCache = new HttpSessionRequestCache();
+			requestCache.setMatchingRequestParameterName("continue");
+			// @formatter:off
+			http
+				.requestCache((cache) -> cache
+					.requestCache(requestCache)
+				)
+				.securityContext((securityContext) -> securityContext
+					.requireExplicitSave(true)
+				)
+				.authorizeHttpRequests((requests) -> requests
+					.anyRequest().permitAll()
+				)
+				.sessionManagement((sessions) -> sessions
+					.requireExplicitAuthenticationStrategy(true)
+				)
+				.csrf((csrf) -> csrf
+					.csrfRequestAttributeName("_csrf")
+					.csrfTokenRepository(csrfRepository)
+				);
+			// @formatter:on
+			return http.build();
+		}
+
+	}
+
+	public static class Service {
+
+		@PreAuthorize("permitAll")
+		public String getMessage() {
+			return "message";
+		}
+
+	}
+
+}
diff --git a/config/src/test/java/org/springframework/security/config/http/DeferHttpSessionXmlConfigTests.java b/config/src/test/java/org/springframework/security/config/http/DeferHttpSessionXmlConfigTests.java
new file mode 100644
index 0000000000..df284f29fc
--- /dev/null
+++ b/config/src/test/java/org/springframework/security/config/http/DeferHttpSessionXmlConfigTests.java
@@ -0,0 +1,81 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config.http;
+
+import javax.servlet.FilterChain;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.mock.web.MockHttpServletRequest;
+import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.config.test.SpringTestContext;
+import org.springframework.security.config.test.SpringTestContextExtension;
+import org.springframework.security.web.FilterChainProxy;
+
+import static org.mockito.ArgumentMatchers.anyBoolean;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.spy;
+import static org.mockito.Mockito.verify;
+
+/**
+ * @author Rob Winch
+ */
+@ExtendWith(SpringTestContextExtension.class)
+public class DeferHttpSessionXmlConfigTests {
+
+	private static final String CONFIG_LOCATION_PREFIX = "classpath:org/springframework/security/config/http/DeferHttpSessionTests";
+
+	@Autowired
+	FilterChainProxy springSecurityFilterChain;
+
+	@Autowired
+	private Service service;
+
+	public final SpringTestContext spring = new SpringTestContext(this);
+
+	@Test
+	public void explicitDeferHttpSession() throws Exception {
+		this.spring.configLocations(xml("Explicit")).autowire();
+
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/");
+		MockHttpServletRequest mockRequest = spy(request);
+		MockHttpServletResponse response = new MockHttpServletResponse();
+		FilterChain chain = (httpRequest, httpResponse) -> httpResponse.getWriter().write(this.service.getMessage());
+
+		this.springSecurityFilterChain.doFilter(mockRequest, response, chain);
+
+		verify(mockRequest, never()).getSession(anyBoolean());
+		verify(mockRequest, never()).getSession();
+	}
+
+	private static String xml(String configName) {
+		return CONFIG_LOCATION_PREFIX + "-" + configName + ".xml";
+	}
+
+	public static class Service {
+
+		@PreAuthorize("permitAll")
+		public String getMessage() {
+			return "message";
+		}
+
+	}
+
+}
diff --git a/config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml b/config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
new file mode 100644
index 0000000000..9be33976ba
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2018 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~       https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		 xmlns:p="http://www.springframework.org/schema/p"
+		 xmlns:c="http://www.springframework.org/schema/c"
+		 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		 xmlns="http://www.springframework.org/schema/security"
+		 xsi:schemaLocation="http://www.springframework.org/schema/security https://www.springframework.org/schema/security/spring-security.xsd
+		http://www.springframework.org/schema/beans https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<method-security pre-post-enabled="true" />
+	<b:bean class="org.springframework.security.config.http.DeferHttpSessionXmlConfigTests$Service" />
+
+	<http auto-config="true"
+			security-context-explicit-save="true"
+			use-authorization-manager="true">
+		<intercept-url  pattern="/**" access="permitAll"/>
+		<csrf request-attribute-name="_csrf"
+			token-repository-ref="csrfRepository"/>
+		<request-cache ref="requestCache"/>
+		<session-management authentication-strategy-explicit-invocation="true"/>
+	</http>
+
+	<b:bean id="requestCache" class="org.springframework.security.web.savedrequest.HttpSessionRequestCache"
+		p:matchingRequestParameterName="continue"/>
+	<b:bean id="httpSessionCsrfRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository"/>
+	<b:bean id="csrfRepository" class="org.springframework.security.web.csrf.LazyCsrfTokenRepository"
+		c:delegate-ref="httpSessionCsrfRepository"
+	 	p:deferLoadToken="true"/>
+	<b:import resource="CsrfConfigTests-shared-userservice.xml"/>
+</b:beans>