SEC-1142: Support for session timeout detection. Added namespace support for invalid-session-url

This commit is contained in:
Luke Taylor 2009-08-07 23:57:10 +00:00
parent c12e5b4d0b
commit 229866e293
4 changed files with 1729 additions and 1673 deletions

View File

@ -132,6 +132,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
private static final String ATT_USE_EXPRESSIONS = "use-expressions"; private static final String ATT_USE_EXPRESSIONS = "use-expressions";
private static final String ATT_INVALID_SESSION_URL = "invalid-session-url";
private static final String ATT_SECURITY_CONTEXT_REPOSITORY = "security-context-repository-ref"; private static final String ATT_SECURITY_CONTEXT_REPOSITORY = "security-context-repository-ref";
private static final String ATT_DISABLE_URL_REWRITING = "disable-url-rewriting"; private static final String ATT_DISABLE_URL_REWRITING = "disable-url-rewriting";
@ -216,12 +218,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
requestCacheAwareFilter.getPropertyValues().addPropertyValue("requestCache", requestCache); requestCacheAwareFilter.getPropertyValues().addPropertyValue("requestCache", requestCache);
BeanDefinition etf = createExceptionTranslationFilter(element, pc, requestCache); BeanDefinition etf = createExceptionTranslationFilter(element, pc, requestCache);
RootBeanDefinition sfpf = createSessionFixationProtectionFilter(pc, element.getAttribute(ATT_SESSION_FIXATION_PROTECTION), RootBeanDefinition sfpf = createSessionManagementFilter(element, pc, sessionRegistryRef, contextRepoRef);
sessionRegistryRef, contextRepoRef);
BeanReference sessionStrategyRef = null; BeanReference sessionStrategyRef = null;
if (sfpf != null) { if (sfpf != null) {
sessionStrategyRef = (BeanReference) sfpf.getPropertyValues().getPropertyValue("authenticatedSessionStrategy").getValue(); PropertyValue sessionStrategyPV = sfpf.getPropertyValues().getPropertyValue("authenticatedSessionStrategy");
sessionStrategyRef = (BeanReference) (sessionStrategyPV == null ? null : sessionStrategyPV.getValue());
} }
BeanDefinition fsi = createFilterSecurityInterceptor(element, pc, matcher, convertPathsToLowerCase, authenticationManager); BeanDefinition fsi = createFilterSecurityInterceptor(element, pc, matcher, convertPathsToLowerCase, authenticationManager);
@ -919,31 +922,45 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
return channelFilter; return channelFilter;
} }
private RootBeanDefinition createSessionFixationProtectionFilter(ParserContext pc, String sessionFixationAttribute, private RootBeanDefinition createSessionManagementFilter(Element elt, ParserContext pc,
BeanReference sessionRegistryRef, BeanReference contextRepoRef) { BeanReference sessionRegistryRef, BeanReference contextRepoRef) {
if(!StringUtils.hasText(sessionFixationAttribute)) { String sessionFixationAttribute = elt.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
String invalidSessionUrl = elt.getAttribute(ATT_INVALID_SESSION_URL);
if (!StringUtils.hasText(sessionFixationAttribute)) {
sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION; sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;
} }
if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) { boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);
if (sessionFixationProtectionRequired || StringUtils.hasText(invalidSessionUrl)) {
BeanDefinitionBuilder sessionFixationFilter = BeanDefinitionBuilder sessionFixationFilter =
BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class); BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
sessionFixationFilter.addConstructorArgValue(contextRepoRef); sessionFixationFilter.addConstructorArgValue(contextRepoRef);
BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class); if (sessionFixationProtectionRequired) {
BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);
sessionStrategy.addPropertyValue("migrateSessionAttributes",
Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
if (sessionRegistryRef != null) {
sessionStrategy.addPropertyValue("sessionRegistry", sessionRegistryRef);
}
BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
String id = pc.getReaderContext().registerWithGeneratedName(strategyBean);
pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, id));
sessionFixationFilter.addPropertyReference("authenticatedSessionStrategy", id);
sessionStrategy.addPropertyValue("migrateSessionAttributes",
Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
if (sessionRegistryRef != null) {
sessionStrategy.addPropertyValue("sessionRegistry", sessionRegistryRef);
} }
BeanDefinition strategyBean = sessionStrategy.getBeanDefinition(); if (StringUtils.hasText(invalidSessionUrl)) {
String id = pc.getReaderContext().registerWithGeneratedName(strategyBean); sessionFixationFilter.addPropertyValue("invalidSessionUrl", invalidSessionUrl);
pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, id)); }
sessionFixationFilter.addPropertyReference("authenticatedSessionStrategy", id);
return (RootBeanDefinition) sessionFixationFilter.getBeanDefinition(); return (RootBeanDefinition) sessionFixationFilter.getBeanDefinition();
} }
return null; return null;
} }

View File

@ -286,6 +286,9 @@ http.attlist &=
http.attlist &= http.attlist &=
## ##
attribute disable-url-rewriting {boolean}? attribute disable-url-rewriting {boolean}?
http.attlist &=
## The URL to which a user will be redirected if they submit an invalid session indentifier. Typically used to detect session timeouts.
attribute invalid-session-url {xsd:token}?
access-denied-handler = access-denied-handler =
## Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to an AccessDeniedHandler instance. ## Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to an AccessDeniedHandler instance.

View File

@ -737,7 +737,7 @@ public class HttpSecurityBeanDefinitionParserTests {
} }
@Test @Test
public void disablingSessionProtectionRemovesFilter() throws Exception { public void disablingSessionProtectionRemovesSessionManagementFilterIfNoInvalidSessionUrlSet() throws Exception {
setContext( setContext(
"<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML); "<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
List<Filter> filters = getFilters("/someurl"); List<Filter> filters = getFilters("/someurl");
@ -745,6 +745,17 @@ public class HttpSecurityBeanDefinitionParserTests {
assertFalse(filters.get(9) instanceof SessionManagementFilter); assertFalse(filters.get(9) instanceof SessionManagementFilter);
} }
@Test
public void disablingSessionProtectionRetainsSessionManagementFilterInvalidSessionUrlSet() throws Exception {
setContext(
"<http auto-config='true' session-fixation-protection='none'" +
" invalid-session-url='/timeoutUrl' />" + AUTH_PROVIDER_XML);
List<Filter> filters = getFilters("/someurl");
Object filter = filters.get(9);
assertTrue(filter instanceof SessionManagementFilter);
assertEquals("/timeoutUrl", FieldUtils.getProtectedFieldValue("invalidSessionUrl", filter));
}
/** /**
* See SEC-750. If the http security post processor causes beans to be instantiated too eagerly, they way miss * See SEC-750. If the http security post processor causes beans to be instantiated too eagerly, they way miss
* additional processing. In this method we have a UserDetailsService which is referenced from the namespace * additional processing. In this method we have a UserDetailsService which is referenced from the namespace