Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-07 03:02:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-689: Further tests, logging improvements.

Browse Source
This commit is contained in:
Luke Taylor 2008-03-26 00:00:56 +00:00
parent a29842a467
commit 2af2f299cb
3 changed files with 53 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
core/src/main/java/org/springframework/security/ui/SessionFixationProtectionFilter.java
View File

@ -99,13 +99,16 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
/** /**
* Response wrapper to handle the situation where we need to migrate the session after a redirect or sendError. * Response wrapper to handle the situation where we need to migrate the session after a redirect or sendError.
* Similar in function to Martin Algesten's OnRedirectUpdateSessionResponseWrapper used in * Similar in function to Martin Algesten's OnRedirectUpdateSessionResponseWrapper used in
* HttpSessionContextIntegrationFilter. * HttpSessionContextIntegrationFilter.
* <p>
* Only used to wrap the response if the conditions are right at the start of the request to potentially
* require starting a new session, i.e. that the user isn't authenticated and a session existed to begin with.
*/ */
private class SessionFixationProtectionResponseWrapper extends HttpServletResponseWrapper { class SessionFixationProtectionResponseWrapper extends HttpServletResponseWrapper {
private HttpServletRequest request; private HttpServletRequest request;
private boolean newSessionStarted; private boolean newSessionStarted;
public SessionFixationProtectionResponseWrapper(HttpServletResponse response, HttpServletRequest request) { SessionFixationProtectionResponseWrapper(HttpServletResponse response, HttpServletRequest request) {
super(response); super(response);
this.request = request; this.request = request;
} }
@ -148,9 +151,8 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
newSessionStarted = true; newSessionStarted = true;
} }
private boolean isNewSessionStarted() { boolean isNewSessionStarted() {
return newSessionStarted; return newSessionStarted;
} }
} }
} }

6
core/src/main/java/org/springframework/security/util/SessionUtils.java
View File

@ -36,7 +36,7 @@ public final class SessionUtils {
String originalSessionId = session.getId(); String originalSessionId = session.getId();
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
logger.debug("Invalidating session " + (migrateAttributes ? "and" : "without") + " migrating attributes."); logger.debug("Invalidating session with Id '" + originalSessionId +"' " + (migrateAttributes ? "and" : "without") + " migrating attributes.");
} }
HashMap attributesToMigrate = null; HashMap attributesToMigrate = null;
@ -55,6 +55,10 @@ public final class SessionUtils {
session.invalidate(); session.invalidate();
session = request.getSession(true); // we now have a new session session = request.getSession(true); // we now have a new session
if (logger.isDebugEnabled()) {
logger.debug("Started new session: " + session.getId());
}
if (attributesToMigrate != null) { if (attributesToMigrate != null) {
Iterator iter = attributesToMigrate.entrySet().iterator(); Iterator iter = attributesToMigrate.entrySet().iterator();

46
core/src/test/java/org/springframework/security/ui/SessionFixationProtectionFilterTests.java
View File

@ -45,7 +45,6 @@ public class SessionFixationProtectionFilterTests {
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(); SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
HttpServletRequest request = new MockHttpServletRequest(); HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId(); String sessionId = request.getSession().getId();
// SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("user", "pass", null));
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()); filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
@ -68,7 +67,7 @@ public class SessionFixationProtectionFilterTests {
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(); SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
HttpServletRequest request = new MockHttpServletRequest(); HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId(); String sessionId = request.getSession().getId();
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("user", "pass", null)); authenticateUser();
filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()); filter.doFilter(request, new MockHttpServletResponse(), new MockFilterChain());
@ -83,7 +82,7 @@ public class SessionFixationProtectionFilterTests {
filter.doFilter(request, new MockHttpServletResponse(), new UserAuthenticatingFilterChain()); filter.doFilter(request, new MockHttpServletResponse(), new UserAuthenticatingFilterChain());
assertFalse("Session Id should have changed", sessionId.equals(request.getSession().getId())); assertFalse(sessionId.equals(request.getSession().getId()));
} }
@Test @Test
@ -99,12 +98,47 @@ public class SessionFixationProtectionFilterTests {
SessionFixationProtectionFilter.SessionFixationProtectionResponseWrapper); SessionFixationProtectionFilter.SessionFixationProtectionResponseWrapper);
assertTrue("New session should have been created by session wrapper", assertTrue("New session should have been created by session wrapper",
((SessionFixationProtectionFilter.SessionFixationProtectionResponseWrapper)chain.getResponse()).isNewSessionStarted()); ((SessionFixationProtectionFilter.SessionFixationProtectionResponseWrapper)chain.getResponse()).isNewSessionStarted());
assertFalse("Session Id should have changed", sessionId.equals(request.getSession().getId())); assertFalse(sessionId.equals(request.getSession().getId()));
}
@Test
public void wrapperSendErrorCreatesNewSession() throws Exception {
authenticateUser();
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId();
SessionFixationProtectionFilter.SessionFixationProtectionResponseWrapper wrapper =
filter.new SessionFixationProtectionResponseWrapper(new MockHttpServletResponse(), request);
wrapper.sendError(HttpServletResponse.SC_FORBIDDEN);
assertFalse(sessionId.equals(request.getSession().getId()));
// Message version
request = new MockHttpServletRequest();
sessionId = request.getSession().getId();
wrapper = filter.new SessionFixationProtectionResponseWrapper(new MockHttpServletResponse(), request);
wrapper.sendError(HttpServletResponse.SC_FORBIDDEN, "Hi. I'm your friendly forbidden message.");
assertFalse(sessionId.equals(request.getSession().getId()));
}
@Test
public void wrapperRedirectCreatesNewSession() throws Exception {
authenticateUser();
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter();
HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId();
SessionFixationProtectionFilter.SessionFixationProtectionResponseWrapper wrapper =
filter.new SessionFixationProtectionResponseWrapper(new MockHttpServletResponse(), request);
wrapper.sendRedirect("/somelocation");
assertFalse(sessionId.equals(request.getSession().getId()));
}
private void authenticateUser() {
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("user", "pass", null));
} }
private class UserAuthenticatingFilterChain implements FilterChain { private class UserAuthenticatingFilterChain implements FilterChain {
public void doFilter(ServletRequest request, ServletResponse response) throws IOException { public void doFilter(ServletRequest request, ServletResponse response) throws IOException {
SecurityContextHolder.getContext().setAuthentication(new TestingAuthenticationToken("user", "pass", null)); authenticateUser();
} }
} }