Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-585: Made expiredUrl optional. 

Also implemented Ordered interface for use in namespace configuration.
This commit is contained in:
Luke Taylor 2007-10-26 23:32:40 +00:00
parent 55ef50a4df
commit 3d9ea49d19
2 changed files with 49 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
core/src/main/java/org/springframework/security/concurrent/ConcurrentSessionFilter.java
View File

@ -16,36 +16,34 @@
package org.springframework.security.concurrent; package org.springframework.security.concurrent;
import org.springframework.beans.factory.InitializingBean; import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.ui.FilterChainOrderUtils;
import org.springframework.security.ui.SpringSecurityFilter;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain; import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import java.io.IOException;
/** /**
* Filter required by concurrent session handling package.<p>This filter performs two functions. First, it calls * Filter required by concurrent session handling package.
* {@link org.springframework.security.concurrent.SessionRegistry#refreshLastRequest(String)} for each request. That way, * <p>This filter performs two functions. First, it calls
* registered sessions always have a correct "last update" date/time. Second, it retrieves {@link * {@link org.springframework.security.concurrent.SessionRegistry#refreshLastRequest(String)} for each request.
* org.springframework.security.concurrent.SessionInformation} from the <code>SessionRegistry</code> for each request and checks * That way, registered sessions always have a correct "last update" date/time. Second, it retrieves
* if the session has been marked as expired. If it has been marked as expired, the session is invalidated. The * {@link org.springframework.security.concurrent.SessionInformation} from the <code>SessionRegistry</code>
* invalidation of the session will also cause the request to redirect to the URL specified, and a {@link * for each request and checks if the session has been marked as expired.
* org.springframework.security.ui.session.HttpSessionDestroyedEvent} to be published via the {@link * If it has been marked as expired, the session is invalidated. The invalidation of the session will also cause the
* org.springframework.security.ui.session.HttpSessionEventPublisher} registered in <code>web.xml</code>.</p> * request to redirect to the URL specified, and a
* {@link org.springframework.security.ui.session.HttpSessionDestroyedEvent} to be published via the
* {@link org.springframework.security.ui.session.HttpSessionEventPublisher} registered in <code>web.xml</code>.</p>
* *
* @author Ben Alex * @author Ben Alex
* @version $Id$ * @version $Id$
*/ */
public class ConcurrentSessionFilter implements Filter, InitializingBean { public class ConcurrentSessionFilter extends SpringSecurityFilter implements InitializingBean {
//~ Instance fields ================================================================================================ //~ Instance fields ================================================================================================
private SessionRegistry sessionRegistry; private SessionRegistry sessionRegistry;
@ -55,23 +53,12 @@ public class ConcurrentSessionFilter implements Filter, InitializingBean {
public void afterPropertiesSet() throws Exception { public void afterPropertiesSet() throws Exception {
Assert.notNull(sessionRegistry, "SessionRegistry required"); Assert.notNull(sessionRegistry, "SessionRegistry required");
Assert.hasText(expiredUrl, "ExpiredUrl required");
} }
/** public void doFilterHttp(HttpServletRequest request, HttpServletResponse response, FilterChain chain)
* Does nothing. We use IoC container lifecycle services instead. throws IOException, ServletException {
*/
public void destroy() {}
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) HttpSession session = request.getSession(false);
throws IOException, ServletException {
Assert.isInstanceOf(HttpServletRequest.class, request, "Can only process HttpServletRequest");
Assert.isInstanceOf(HttpServletResponse.class, response, "Can only process HttpServletResponse");
HttpServletRequest httpRequest = (HttpServletRequest) request;
HttpServletResponse httpResponse = (HttpServletResponse) response;
HttpSession session = httpRequest.getSession(false);
if (session != null) { if (session != null) {
SessionInformation info = sessionRegistry.getSessionInformation(session.getId()); SessionInformation info = sessionRegistry.getSessionInformation(session.getId());
@ -81,8 +68,14 @@ public class ConcurrentSessionFilter implements Filter, InitializingBean {
// Expired - abort processing // Expired - abort processing
session.invalidate(); session.invalidate();
String targetUrl = httpRequest.getContextPath() + expiredUrl; if (expiredUrl != null) {
httpResponse.sendRedirect(httpResponse.encodeRedirectURL(targetUrl)); String targetUrl = request.getContextPath() + expiredUrl;
response.sendRedirect(response.encodeRedirectURL(targetUrl));
} else {
response.getWriter().print("This session has been expired (possibly due to multiple concurrent " +
"logins being attempted as the same user).");
response.flushBuffer();
}
return; return;
} else { } else {
@ -95,15 +88,6 @@ public class ConcurrentSessionFilter implements Filter, InitializingBean {
chain.doFilter(request, response); chain.doFilter(request, response);
} }
/**
* Does nothing. We use IoC container lifecycle services instead.
*
* @param arg0 ignored
*
* @throws ServletException ignored
*/
public void init(FilterConfig arg0) throws ServletException {}
public void setExpiredUrl(String expiredUrl) { public void setExpiredUrl(String expiredUrl) {
this.expiredUrl = expiredUrl; this.expiredUrl = expiredUrl;
} }
@ -111,4 +95,8 @@ public class ConcurrentSessionFilter implements Filter, InitializingBean {
public void setSessionRegistry(SessionRegistry sessionRegistry) { public void setSessionRegistry(SessionRegistry sessionRegistry) {
this.sessionRegistry = sessionRegistry; this.sessionRegistry = sessionRegistry;
} }
public int getOrder() {
return FilterChainOrderUtils.CONCURRENT_SESSION_FILTER_ORDER;
}
} }

37
core/src/test/java/org/springframework/security/concurrent/ConcurrentSessionFilterTests.java
View File

@ -40,10 +40,6 @@ import java.util.Date;
public class ConcurrentSessionFilterTests extends TestCase { public class ConcurrentSessionFilterTests extends TestCase {
//~ Constructors =================================================================================================== //~ Constructors ===================================================================================================
public ConcurrentSessionFilterTests() {
super();
}
public ConcurrentSessionFilterTests(String arg0) { public ConcurrentSessionFilterTests(String arg0) {
super(arg0); super(arg0);
} }
@ -58,10 +54,6 @@ public class ConcurrentSessionFilterTests extends TestCase {
filter.destroy(); filter.destroy();
} }
public static void main(String[] args) {
junit.textui.TestRunner.run(ConcurrentSessionFilterTests.class);
}
public void testDetectsExpiredSessions() throws Exception { public void testDetectsExpiredSessions() throws Exception {
// Setup our HTTP request // Setup our HTTP request
MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpServletRequest request = new MockHttpServletRequest();
@ -88,16 +80,27 @@ public class ConcurrentSessionFilterTests extends TestCase {
assertEquals("/expired.jsp", response.getRedirectedUrl()); assertEquals("/expired.jsp", response.getRedirectedUrl());
} }
public void testDetectsMissingExpiredUrl() throws Exception { // As above, but with no expiredUrl set.
ConcurrentSessionFilter filter = new ConcurrentSessionFilter(); public void testReturnsExpectedMessageWhenNoExpiredUrlSet() throws Exception {
filter.setSessionRegistry(new SessionRegistryImpl()); MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpSession session = new MockHttpSession();
request.setSession(session);
try { MockHttpServletResponse response = new MockHttpServletResponse();
filter.afterPropertiesSet(); MockFilterConfig config = new MockFilterConfig(null, null);
fail("Should have thrown IAE");
} catch (IllegalArgumentException expected) { MockFilterChain chain = new MockFilterChain(false);
assertTrue(true);
} ConcurrentSessionFilter filter = new ConcurrentSessionFilter();
SessionRegistry registry = new SessionRegistryImpl();
registry.registerNewSession(session.getId(), "principal");
registry.getSessionInformation(session.getId()).expireNow();
filter.setSessionRegistry(registry);
executeFilterInContainerSimulator(config, filter, request, response, chain);
assertEquals("This session has been expired (possibly due to multiple concurrent logins being " +
"attempted as the same user).", response.getContentAsString());
} }
public void testDetectsMissingSessionRegistry() throws Exception { public void testDetectsMissingSessionRegistry() throws Exception {