SEC-1142: Support for session timeout detection. Added namespace support for invalid-session-url

2009-08-07 23:57:10 +00:00 · 2009-08-07 23:57:10 +00:00 · 229866e293
parent c12e5b4d0b
commit 229866e293
4 changed files with 1729 additions and 1673 deletions
--- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java
@ -132,6 +132,8 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {

    private static final String ATT_USE_EXPRESSIONS = "use-expressions";

+    private static final String ATT_INVALID_SESSION_URL = "invalid-session-url";
+
    private static final String ATT_SECURITY_CONTEXT_REPOSITORY = "security-context-repository-ref";

    private static final String ATT_DISABLE_URL_REWRITING = "disable-url-rewriting";
@ -216,12 +218,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
        requestCacheAwareFilter.getPropertyValues().addPropertyValue("requestCache", requestCache);

        BeanDefinition etf = createExceptionTranslationFilter(element, pc, requestCache);
-        RootBeanDefinition sfpf = createSessionFixationProtectionFilter(pc, element.getAttribute(ATT_SESSION_FIXATION_PROTECTION),
-                sessionRegistryRef, contextRepoRef);
+        RootBeanDefinition sfpf = createSessionManagementFilter(element, pc, sessionRegistryRef, contextRepoRef);
        BeanReference sessionStrategyRef = null;

        if (sfpf != null) {
-            sessionStrategyRef = (BeanReference) sfpf.getPropertyValues().getPropertyValue("authenticatedSessionStrategy").getValue();
+            PropertyValue sessionStrategyPV = sfpf.getPropertyValues().getPropertyValue("authenticatedSessionStrategy");
+
+            sessionStrategyRef = (BeanReference) (sessionStrategyPV == null ? null : sessionStrategyPV.getValue());
        }
        BeanDefinition fsi = createFilterSecurityInterceptor(element, pc, matcher, convertPathsToLowerCase, authenticationManager);

@ -919,31 +922,45 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
        return channelFilter;
    }

-    private RootBeanDefinition createSessionFixationProtectionFilter(ParserContext pc, String sessionFixationAttribute,
+    private RootBeanDefinition createSessionManagementFilter(Element elt, ParserContext pc,
            BeanReference sessionRegistryRef, BeanReference contextRepoRef) {
-        if(!StringUtils.hasText(sessionFixationAttribute)) {
+        String sessionFixationAttribute = elt.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
+        String invalidSessionUrl = elt.getAttribute(ATT_INVALID_SESSION_URL);
+
+        if (!StringUtils.hasText(sessionFixationAttribute)) {
            sessionFixationAttribute = OPT_SESSION_FIXATION_MIGRATE_SESSION;
        }

-        if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) {
+        boolean sessionFixationProtectionRequired = !sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION);
+
+        if (sessionFixationProtectionRequired || StringUtils.hasText(invalidSessionUrl)) {
            BeanDefinitionBuilder sessionFixationFilter =
                BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
            sessionFixationFilter.addConstructorArgValue(contextRepoRef);

-            BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);
+            if (sessionFixationProtectionRequired) {
+                BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);
+
+                sessionStrategy.addPropertyValue("migrateSessionAttributes",
+                        Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
+                if (sessionRegistryRef != null) {
+                    sessionStrategy.addPropertyValue("sessionRegistry", sessionRegistryRef);
+                }
+
+                BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
+                String id = pc.getReaderContext().registerWithGeneratedName(strategyBean);
+                pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, id));
+                sessionFixationFilter.addPropertyReference("authenticatedSessionStrategy", id);

-            sessionStrategy.addPropertyValue("migrateSessionAttributes",
-                    Boolean.valueOf(sessionFixationAttribute.equals(OPT_SESSION_FIXATION_MIGRATE_SESSION)));
-            if (sessionRegistryRef != null) {
-                sessionStrategy.addPropertyValue("sessionRegistry", sessionRegistryRef);
            }

-            BeanDefinition strategyBean = sessionStrategy.getBeanDefinition();
-            String id = pc.getReaderContext().registerWithGeneratedName(strategyBean);
-            pc.registerBeanComponent(new BeanComponentDefinition(strategyBean, id));
-            sessionFixationFilter.addPropertyReference("authenticatedSessionStrategy", id);
+            if (StringUtils.hasText(invalidSessionUrl)) {
+                sessionFixationFilter.addPropertyValue("invalidSessionUrl", invalidSessionUrl);
+            }
+
            return (RootBeanDefinition) sessionFixationFilter.getBeanDefinition();
        }
+
        return null;
    }

--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.rnc
@ -286,7 +286,10 @@ http.attlist &=
 http.attlist &=
    ##  
    attribute disable-url-rewriting {boolean}? 
-
+http.attlist &=
+    ## The URL to which a user will be redirected if they submit an invalid session indentifier. Typically used to detect session timeouts.
+    attribute invalid-session-url {xsd:token}? 
+    
 access-denied-handler = 
    ## Defines the access-denied strategy that should be used. An access denied page can be defined or a reference to an AccessDeniedHandler instance. 
    element access-denied-handler {access-denied-handler.attlist, empty}
--- a/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
+++ b/config/src/main/resources/org/springframework/security/config/spring-security-3.0.xsd
--- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java
@ -737,7 +737,7 @@ public class HttpSecurityBeanDefinitionParserTests {
    }

    @Test
-    public void disablingSessionProtectionRemovesFilter() throws Exception {
+    public void disablingSessionProtectionRemovesSessionManagementFilterIfNoInvalidSessionUrlSet() throws Exception {
        setContext(
                "<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
        List<Filter> filters = getFilters("/someurl");
@ -745,6 +745,17 @@ public class HttpSecurityBeanDefinitionParserTests {
        assertFalse(filters.get(9) instanceof SessionManagementFilter);
    }

+    @Test
+    public void disablingSessionProtectionRetainsSessionManagementFilterInvalidSessionUrlSet() throws Exception {
+        setContext(
+                "<http auto-config='true' session-fixation-protection='none'" +
+                " invalid-session-url='/timeoutUrl' />" + AUTH_PROVIDER_XML);
+        List<Filter> filters = getFilters("/someurl");
+        Object filter = filters.get(9);
+        assertTrue(filter instanceof SessionManagementFilter);
+        assertEquals("/timeoutUrl", FieldUtils.getProtectedFieldValue("invalidSessionUrl", filter));
+    }
+
    /**
     * See SEC-750. If the http security post processor causes beans to be instantiated too eagerly, they way miss
     * additional processing. In this method we have a UserDetailsService which is referenced from the namespace