SEC-1142: Support for session timeout detection. Added namespace support for invalid-session-url
This commit is contained in:
parent
c12e5b4d0b
commit
229866e293
|
@ -132,6 +132,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
|
|
||||||
private static final String ATT_USE_EXPRESSIONS = "use-expressions";
|
private static final String ATT_USE_EXPRESSIONS = "use-expressions";
|
||||||
|
|
||||||
|
private static final String ATT_INVALID_SESSION_URL = "invalid-session-url";
|
||||||
|
|
||||||
private static final String ATT_SECURITY_CONTEXT_REPOSITORY = "security-context-repository-ref";
|
private static final String ATT_SECURITY_CONTEXT_REPOSITORY = "security-context-repository-ref";
|
||||||
|
|
||||||
private static final String ATT_DISABLE_URL_REWRITING = "disable-url-rewriting";
|
private static final String ATT_DISABLE_URL_REWRITING = "disable-url-rewriting";
|
||||||
|
@ -216,12 +218,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
requestCacheAwareFilter.getPropertyValues().addPropertyValue("requestCache", requestCache);
|
requestCacheAwareFilter.getPropertyValues().addPropertyValue("requestCache", requestCache);
|
||||||
|
|
||||||
BeanDefinition etf = createExceptionTranslationFilter(element, pc, requestCache);
|
BeanDefinition etf = createExceptionTranslationFilter(element, pc, requestCache);
|
||||||
RootBeanDefinition sfpf = createSessionFixationProtectionFilter(pc, element.getAttribute(ATT_SESSION_FIXATION_PROTECTION),
|
RootBeanDefinition sfpf = createSessionManagementFilter(element, pc, sessionRegistryRef, contextRepoRef);
|
||||||
sessionRegistryRef, contextRepoRef);
|
|
||||||
BeanReference sessionStrategyRef = null;
|
BeanReference sessionStrategyRef = null;
|
||||||
|
|
||||||
if (sfpf != null) {
|
if (sfpf != null) {
|
||||||
sessionStrategyRef = (BeanReference) sfpf.getPropertyValues().getPropertyValue("authenticatedSessionStrategy").getValue();
|
PropertyValue sessionStrategyPV = sfpf.getPropertyValues().getPropertyValue("authenticatedSessionStrategy");
|
||||||
|
|
||||||
|
sessionStrategyRef = (BeanReference) (sessionStrategyPV == null ? null : sessionStrategyPV.getValue());
|
||||||
}
|
}
|
||||||
BeanDefinition fsi = createFilterSecurityInterceptor(element, pc, matcher, convertPathsToLowerCase, authenticationManager);
|
BeanDefinition fsi = createFilterSecurityInterceptor(element, pc, matcher, convertPathsToLowerCase, authenticationManager);
|
||||||
|
|
||||||
|
@ -919,31 +922,45 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
return channelFilter;
|
return channelFilter;
|
||||||
}
|
}
|
||||||
|
|
||||||
private RootBeanDefinition createSessionFixationProtectionFilter(ParserContext pc, String sessionFixationAttribute,
|
private RootBeanDefinition createSessionManagementFilter(Element elt, ParserContext pc,
|
||||||
BeanReference sessionRegistryRef, BeanReference contextRepoRef) {
|
BeanReference sessionRegistryRef, BeanReference contextRepoRef) {
|
||||||
if(!StringUtils.hasText(sessionFixationAttribute)) {
|
String sessionFixationAttribute = elt.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
|
||||||
|
String invalidSessionUrl = elt.getAttribute(ATT_INVALID_SESSION_URL);
|
||||||
|
|
||||||
|
if (!StringUtils.hasText(sessionFixationAttribute)) {
|
||||||
sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;
|
sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) {
|
boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);
|
||||||
|
|
||||||
|
if (sessionFixationProtectionRequired || StringUtils.hasText(invalidSessionUrl)) {
|
||||||
BeanDefinitionBuilder sessionFixationFilter =
|
BeanDefinitionBuilder sessionFixationFilter =
|
||||||
BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
|
BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
|
||||||
sessionFixationFilter.addConstructorArgValue(contextRepoRef);
|
sessionFixationFilter.addConstructorArgValue(contextRepoRef);
|
||||||
|
|
||||||
BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);
|
if (sessionFixationProtectionRequired) {
|
||||||
|
BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);
|
||||||
|
|
||||||
|
sessionStrategy.addPropertyValue("migrateSessionAttributes",
|
||||||
|
Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
|
||||||
|
if (sessionRegistryRef != null) {
|
||||||
|
sessionStrategy.addPropertyValue("sessionRegistry", sessionRegistryRef);
|
||||||
|
}
|
||||||
|
|
||||||
|
BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
|
||||||
|
String id = pc.getReaderContext().registerWithGeneratedName(strategyBean);
|
||||||
|
pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, id));
|
||||||
|
sessionFixationFilter.addPropertyReference("authenticatedSessionStrategy", id);
|
||||||
|
|
||||||
sessionStrategy.addPropertyValue("migrateSessionAttributes",
|
|
||||||
Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
|
|
||||||
if (sessionRegistryRef != null) {
|
|
||||||
sessionStrategy.addPropertyValue("sessionRegistry", sessionRegistryRef);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
|
if (StringUtils.hasText(invalidSessionUrl)) {
|
||||||
String id = pc.getReaderContext().registerWithGeneratedName(strategyBean);
|
sessionFixationFilter.addPropertyValue("invalidSessionUrl", invalidSessionUrl);
|
||||||
pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, id));
|
}
|
||||||
sessionFixationFilter.addPropertyReference("authenticatedSessionStrategy", id);
|
|
||||||
return (RootBeanDefinition) sessionFixationFilter.getBeanDefinition();
|
return (RootBeanDefinition) sessionFixationFilter.getBeanDefinition();
|
||||||
}
|
}
|
||||||
|
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -286,6 +286,9 @@ http.attlist &=
|
||||||
http.attlist &=
|
http.attlist &=
|
||||||
##
|
##
|
||||||
attribute disable-url-rewriting {boolean}?
|
attribute disable-url-rewriting {boolean}?
|
||||||
|
http.attlist &=
|
||||||
|
## The URL to which a user will be redirected if they submit an invalid session indentifier. Typically used to detect session timeouts.
|
||||||
|
attribute invalid-session-url {xsd:token}?
|
||||||
|
|
||||||
access-denied-handler =
|
access-denied-handler =
|
||||||
## Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to an AccessDeniedHandler instance.
|
## Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to an AccessDeniedHandler instance.
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -737,7 +737,7 @@ public class HttpSecurityBeanDefinitionParserTests {
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void disablingSessionProtectionRemovesFilter() throws Exception {
|
public void disablingSessionProtectionRemovesSessionManagementFilterIfNoInvalidSessionUrlSet() throws Exception {
|
||||||
setContext(
|
setContext(
|
||||||
"<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
|
"<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
|
||||||
List<Filter> filters = getFilters("/someurl");
|
List<Filter> filters = getFilters("/someurl");
|
||||||
|
@ -745,6 +745,17 @@ public class HttpSecurityBeanDefinitionParserTests {
|
||||||
assertFalse(filters.get(9) instanceof SessionManagementFilter);
|
assertFalse(filters.get(9) instanceof SessionManagementFilter);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void disablingSessionProtectionRetainsSessionManagementFilterInvalidSessionUrlSet() throws Exception {
|
||||||
|
setContext(
|
||||||
|
"<http auto-config='true' session-fixation-protection='none'" +
|
||||||
|
" invalid-session-url='/timeoutUrl' />" + AUTH_PROVIDER_XML);
|
||||||
|
List<Filter> filters = getFilters("/someurl");
|
||||||
|
Object filter = filters.get(9);
|
||||||
|
assertTrue(filter instanceof SessionManagementFilter);
|
||||||
|
assertEquals("/timeoutUrl", FieldUtils.getProtectedFieldValue("invalidSessionUrl", filter));
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* See SEC-750. If the http security post processor causes beans to be instantiated too eagerly, they way miss
|
* See SEC-750. If the http security post processor causes beans to be instantiated too eagerly, they way miss
|
||||||
* additional processing. In this method we have a UserDetailsService which is referenced from the namespace
|
* additional processing. In this method we have a UserDetailsService which is referenced from the namespace
|
||||||
|
|
Loading…
Reference in New Issue