mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-03-04 20:39:22 +00:00
SEC-572: Added allowSessionCreation (default=true) property to AbstractProcessingFilter and modified it and AuthenticationProcessingFilter to stop them creating a new session for storing data if this property is set to false.
This commit is contained in:
Luke Taylor
parent
41d90e9bdb
commit
2eca8ee7b0
@ -207,6 +207,8 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
|
|||||||
*/
|
*/
|
||||||
private boolean migrateInvalidatedSessionAttributes = true;
|
private boolean migrateInvalidatedSessionAttributes = true;
|
||||||
|
|
||||||
|
private boolean allowSessionCreation = true;
|
||||||
|
|
||||||
//~ Methods ========================================================================================================
|
//~ Methods ========================================================================================================
|
||||||
|
|
||||||
public void afterPropertiesSet() throws Exception {
|
public void afterPropertiesSet() throws Exception {
|
||||||
@ -264,9 +266,15 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
|
|||||||
}
|
}
|
||||||
|
|
||||||
public static String obtainFullRequestUrl(HttpServletRequest request) {
|
public static String obtainFullRequestUrl(HttpServletRequest request) {
|
||||||
SavedRequest savedRequest = (SavedRequest) request.getSession().getAttribute(SPRING_SECURITY_SAVED_REQUEST_KEY);
|
HttpSession session = request.getSession(false);
|
||||||
|
|
||||||
return (savedRequest == null) ? null : savedRequest.getFullRequestUrl();
|
if (session == null) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
|
SavedRequest savedRequest = (SavedRequest) session.getAttribute(SPRING_SECURITY_SAVED_REQUEST_KEY);
|
||||||
|
|
||||||
|
return savedRequest == null ? null : savedRequest.getFullRequestUrl();
|
||||||
}
|
}
|
||||||
|
|
||||||
protected void onPreAuthentication(HttpServletRequest request, HttpServletResponse response)
|
protected void onPreAuthentication(HttpServletRequest request, HttpServletResponse response)
|
||||||
@ -434,8 +442,12 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
|
|||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
request.getSession().setAttribute(SPRING_SECURITY_LAST_EXCEPTION_KEY, failed);
|
HttpSession session = request.getSession(false);
|
||||||
}
|
|
||||||
|
if (session != null || allowSessionCreation) {
|
||||||
|
request.getSession().setAttribute(SPRING_SECURITY_LAST_EXCEPTION_KEY, failed);
|
||||||
|
}
|
||||||
|
}
|
||||||
catch (Exception ignored) {
|
catch (Exception ignored) {
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -558,4 +570,12 @@ public abstract class AbstractProcessingFilter extends SpringSecurityFilter impl
|
|||||||
public void setUseRelativeContext(boolean useRelativeContext) {
|
public void setUseRelativeContext(boolean useRelativeContext) {
|
||||||
this.useRelativeContext = useRelativeContext;
|
this.useRelativeContext = useRelativeContext;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected boolean getAllowSessionCreation() {
|
||||||
|
return allowSessionCreation;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setAllowSessionCreation(boolean allowSessionCreation) {
|
||||||
|
this.allowSessionCreation = allowSessionCreation;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -25,6 +25,7 @@ import org.springframework.security.ui.FilterChainOrderUtils;
|
|||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
|
|
||||||
import javax.servlet.http.HttpServletRequest;
|
import javax.servlet.http.HttpServletRequest;
|
||||||
|
import javax.servlet.http.HttpSession;
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -72,7 +73,11 @@ public class AuthenticationProcessingFilter extends AbstractProcessingFilter {
|
|||||||
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
|
UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken(username, password);
|
||||||
|
|
||||||
// Place the last username attempted into HttpSession for views
|
// Place the last username attempted into HttpSession for views
|
||||||
request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, username);
|
HttpSession session = request.getSession(false);
|
||||||
|
|
||||||
|
if (session != null || getAllowSessionCreation()) {
|
||||||
|
request.getSession().setAttribute(SPRING_SECURITY_LAST_USERNAME_KEY, username);
|
||||||
|
}
|
||||||
|
|
||||||
// Allow subclasses to set the "details" property
|
// Allow subclasses to set the "details" property
|
||||||
setDetails(request, authRequest);
|
setDetails(request, authRequest);
|
||||||
|
|||||||
@ -471,11 +471,9 @@ public class AbstractProcessingFilterTests extends TestCase {
|
|||||||
MockHttpServletRequest request = createMockRequest();
|
MockHttpServletRequest request = createMockRequest();
|
||||||
HttpSession oldSession = request.getSession();
|
HttpSession oldSession = request.getSession();
|
||||||
MockFilterConfig config = new MockFilterConfig(null, null);
|
MockFilterConfig config = new MockFilterConfig(null, null);
|
||||||
|
|
||||||
MockFilterChain chain = new MockFilterChain(true);
|
MockFilterChain chain = new MockFilterChain(true);
|
||||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
|
|
||||||
// Setup our test object, to grant access
|
|
||||||
MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(true);
|
MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(true);
|
||||||
filter.setInvalidateSessionOnSuccessfulAuthentication(true);
|
filter.setInvalidateSessionOnSuccessfulAuthentication(true);
|
||||||
filter.setMigrateInvalidatedSessionAttributes(false);
|
filter.setMigrateInvalidatedSessionAttributes(false);
|
||||||
@ -488,6 +486,27 @@ public class AbstractProcessingFilterTests extends TestCase {
|
|||||||
assertNull(newSession.getAttribute("test"));
|
assertNull(newSession.getAttribute("test"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* SEC-571
|
||||||
|
*/
|
||||||
|
public void testNoSessionIsCreatedIfAllowSessionCreationIsFalse() throws Exception {
|
||||||
|
MockHttpServletRequest request = createMockRequest();
|
||||||
|
|
||||||
|
MockFilterConfig config = new MockFilterConfig(null, null);
|
||||||
|
MockFilterChain chain = new MockFilterChain(true);
|
||||||
|
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||||
|
|
||||||
|
// Reject authentication, so exception would normally be stored in session
|
||||||
|
MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(false);
|
||||||
|
filter.setAllowSessionCreation(false);
|
||||||
|
filter.setAuthenticationFailureUrl("/");
|
||||||
|
filter.setDefaultTargetUrl("http://monkeymachine.co.uk/");
|
||||||
|
|
||||||
|
executeFilterInContainerSimulator(config, filter, request, response, chain);
|
||||||
|
|
||||||
|
assertNull(request.getSession(false));
|
||||||
|
}
|
||||||
|
|
||||||
//~ Inner Classes ==================================================================================================
|
//~ Inner Classes ==================================================================================================
|
||||||
|
|
||||||
private class MockAbstractProcessingFilter extends AbstractProcessingFilter {
|
private class MockAbstractProcessingFilter extends AbstractProcessingFilter {
|
||||||
|
|||||||
@ -19,10 +19,13 @@ import junit.framework.TestCase;
|
|||||||
|
|
||||||
import org.springframework.security.Authentication;
|
import org.springframework.security.Authentication;
|
||||||
import org.springframework.security.MockAuthenticationManager;
|
import org.springframework.security.MockAuthenticationManager;
|
||||||
|
import org.springframework.security.AuthenticationException;
|
||||||
|
|
||||||
import org.springframework.security.ui.WebAuthenticationDetails;
|
import org.springframework.security.ui.WebAuthenticationDetails;
|
||||||
|
|
||||||
import org.springframework.mock.web.MockHttpServletRequest;
|
import org.springframework.mock.web.MockHttpServletRequest;
|
||||||
|
import org.springframework.mock.web.MockFilterConfig;
|
||||||
|
import org.springframework.mock.web.MockHttpServletResponse;
|
||||||
|
|
||||||
import javax.servlet.ServletException;
|
import javax.servlet.ServletException;
|
||||||
|
|
||||||
@ -61,6 +64,8 @@ public class AuthenticationProcessingFilterTests extends TestCase {
|
|||||||
|
|
||||||
Authentication result = filter.attemptAuthentication(request);
|
Authentication result = filter.attemptAuthentication(request);
|
||||||
assertTrue(result != null);
|
assertTrue(result != null);
|
||||||
|
assertEquals("rod", request.getSession().getAttribute(
|
||||||
|
AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY));
|
||||||
assertEquals("127.0.0.1", ((WebAuthenticationDetails) result.getDetails()).getRemoteAddress());
|
assertEquals("127.0.0.1", ((WebAuthenticationDetails) result.getDetails()).getRemoteAddress());
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -70,7 +75,6 @@ public class AuthenticationProcessingFilterTests extends TestCase {
|
|||||||
|
|
||||||
AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter();
|
AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter();
|
||||||
filter.setAuthenticationManager(new MockAuthenticationManager(true));
|
filter.setAuthenticationManager(new MockAuthenticationManager(true));
|
||||||
filter.init(null);
|
|
||||||
|
|
||||||
Authentication result = filter.attemptAuthentication(request);
|
Authentication result = filter.attemptAuthentication(request);
|
||||||
assertTrue(result != null);
|
assertTrue(result != null);
|
||||||
@ -82,7 +86,6 @@ public class AuthenticationProcessingFilterTests extends TestCase {
|
|||||||
|
|
||||||
AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter();
|
AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter();
|
||||||
filter.setAuthenticationManager(new MockAuthenticationManager(true));
|
filter.setAuthenticationManager(new MockAuthenticationManager(true));
|
||||||
filter.init(null);
|
|
||||||
|
|
||||||
Authentication result = filter.attemptAuthentication(request);
|
Authentication result = filter.attemptAuthentication(request);
|
||||||
assertTrue(result != null);
|
assertTrue(result != null);
|
||||||
@ -93,7 +96,6 @@ public class AuthenticationProcessingFilterTests extends TestCase {
|
|||||||
filter.setAuthenticationManager(new MockAuthenticationManager(true));
|
filter.setAuthenticationManager(new MockAuthenticationManager(true));
|
||||||
filter.setUsernameParameter("x");
|
filter.setUsernameParameter("x");
|
||||||
filter.setPasswordParameter("y");
|
filter.setPasswordParameter("y");
|
||||||
filter.init(null);
|
|
||||||
|
|
||||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||||
request.addParameter("x", "rod");
|
request.addParameter("x", "rod");
|
||||||
@ -111,9 +113,40 @@ public class AuthenticationProcessingFilterTests extends TestCase {
|
|||||||
|
|
||||||
AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter();
|
AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter();
|
||||||
filter.setAuthenticationManager(new MockAuthenticationManager(true));
|
filter.setAuthenticationManager(new MockAuthenticationManager(true));
|
||||||
filter.init(null);
|
|
||||||
|
|
||||||
Authentication result = filter.attemptAuthentication(request);
|
Authentication result = filter.attemptAuthentication(request);
|
||||||
assertEquals("rod", result.getName());
|
assertEquals("rod", result.getName());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public void testFailedAuthenticationThrowsException() {
|
||||||
|
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||||
|
request.addParameter(AuthenticationProcessingFilter.SPRING_SECURITY_FORM_USERNAME_KEY, "rod");
|
||||||
|
AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter();
|
||||||
|
filter.setAuthenticationManager(new MockAuthenticationManager(false));
|
||||||
|
|
||||||
|
try {
|
||||||
|
filter.attemptAuthentication(request);
|
||||||
|
fail("Expected AuthenticationException");
|
||||||
|
} catch (AuthenticationException e) {
|
||||||
|
}
|
||||||
|
|
||||||
|
// Check username has still been set
|
||||||
|
assertEquals("rod", request.getSession().getAttribute(
|
||||||
|
AuthenticationProcessingFilter.SPRING_SECURITY_LAST_USERNAME_KEY));
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* SEC-571
|
||||||
|
*/
|
||||||
|
public void testNoSessionIsCreatedIfAllowSessionCreationIsFalse() throws Exception {
|
||||||
|
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||||
|
|
||||||
|
AuthenticationProcessingFilter filter = new AuthenticationProcessingFilter();
|
||||||
|
filter.setAllowSessionCreation(false);
|
||||||
|
filter.setAuthenticationManager(new MockAuthenticationManager(true));
|
||||||
|
|
||||||
|
filter.attemptAuthentication(request);
|
||||||
|
|
||||||
|
assertNull(request.getSession(false));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user