From 3e6054b69f221107bcc354afcd90232456b6198d Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Wed, 29 Jul 2009 00:52:30 +0000 Subject: [PATCH] SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy. --- .../config/http/DefaultFilterChainValidator.java | 4 ++-- .../config/http/HttpSecurityBeanDefinitionParser.java | 4 ++-- .../http/HttpSecurityBeanDefinitionParserTests.java | 8 ++++---- ...tectionFilter.java => SessionManagementFilter.java} | 4 ++-- ...terTests.java => SessionManagementFilterTests.java} | 10 +++++----- 5 files changed, 15 insertions(+), 15 deletions(-) rename web/src/main/java/org/springframework/security/web/session/{SessionFixationProtectionFilter.java => SessionManagementFilter.java} (95%) rename web/src/test/java/org/springframework/security/web/session/{SessionFixationProtectionFilterTests.java => SessionManagementFilterTests.java} (89%) diff --git a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java index 776cc32b2c..c0a1ba5450 100644 --- a/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java +++ b/config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java @@ -19,7 +19,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.authentication.www.BasicProcessingFilter; import org.springframework.security.web.context.SecurityContextPersistenceFilter; -import org.springframework.security.web.session.SessionFixationProtectionFilter; +import org.springframework.security.web.session.SessionManagementFilter; import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter; public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator{ @@ -52,7 +52,7 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain private void checkFilterStack(List filters) { checkForDuplicates(SecurityContextPersistenceFilter.class, filters); checkForDuplicates(UsernamePasswordAuthenticationProcessingFilter.class, filters); - checkForDuplicates(SessionFixationProtectionFilter.class, filters); + checkForDuplicates(SessionManagementFilter.class, filters); checkForDuplicates(BasicProcessingFilter.class, filters); checkForDuplicates(SecurityContextHolderAwareRequestFilter.class, filters); checkForDuplicates(ExceptionTranslationFilter.class, filters); diff --git a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java index d0b4667fbd..13b95f6c47 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java @@ -67,7 +67,7 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.RequestCacheAwareFilter; import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy; -import org.springframework.security.web.session.SessionFixationProtectionFilter; +import org.springframework.security.web.session.SessionManagementFilter; import org.springframework.security.web.util.AntUrlPathMatcher; import org.springframework.security.web.util.RegexUrlPathMatcher; import org.springframework.security.web.util.UrlMatcher; @@ -917,7 +917,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) { BeanDefinitionBuilder sessionFixationFilter = - BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionFilter.class); + BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class); sessionFixationFilter.addConstructorArgValue(contextRepoRef); BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class); diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java index 77f6b6f621..18a6812e23 100644 --- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java @@ -72,7 +72,7 @@ import org.springframework.security.web.authentication.www.BasicProcessingFilter import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.SecurityContextPersistenceFilter; import org.springframework.security.web.savedrequest.RequestCacheAwareFilter; -import org.springframework.security.web.session.SessionFixationProtectionFilter; +import org.springframework.security.web.session.SessionManagementFilter; import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter; import org.springframework.util.ReflectionUtils; @@ -139,7 +139,7 @@ public class HttpSecurityBeanDefinitionParserTests { assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter); assertTrue(filters.next() instanceof AnonymousProcessingFilter); assertTrue(filters.next() instanceof ExceptionTranslationFilter); - assertTrue(filters.next() instanceof SessionFixationProtectionFilter); + assertTrue(filters.next() instanceof SessionManagementFilter); Object fsiObj = filters.next(); assertTrue(fsiObj instanceof FilterSecurityInterceptor); FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) fsiObj; @@ -639,7 +639,7 @@ public class HttpSecurityBeanDefinitionParserTests { getFilter(UsernamePasswordAuthenticationProcessingFilter.class),"sessionStrategy.sessionRegistry"); Object sessionRegistryFromController = FieldUtils.getFieldValue(getConcurrentSessionController(),"sessionRegistry"); Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue( - getFilter(SessionFixationProtectionFilter.class),"sessionStrategy.sessionRegistry"); + getFilter(SessionManagementFilter.class),"sessionStrategy.sessionRegistry"); assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter); assertSame(sessionRegistry, sessionRegistryFromController); @@ -744,7 +744,7 @@ public class HttpSecurityBeanDefinitionParserTests { "" + AUTH_PROVIDER_XML); List filters = getFilters("/someurl"); assertTrue(filters.get(8) instanceof ExceptionTranslationFilter); - assertFalse(filters.get(9) instanceof SessionFixationProtectionFilter); + assertFalse(filters.get(9) instanceof SessionManagementFilter); } /** diff --git a/web/src/main/java/org/springframework/security/web/session/SessionFixationProtectionFilter.java b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java similarity index 95% rename from web/src/main/java/org/springframework/security/web/session/SessionFixationProtectionFilter.java rename to web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java index f35b5badc3..8025336a23 100644 --- a/web/src/main/java/org/springframework/security/web/session/SessionFixationProtectionFilter.java +++ b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java @@ -27,7 +27,7 @@ import org.springframework.util.Assert; * @version $Id$ * @since 2.0 */ -public class SessionFixationProtectionFilter extends SpringSecurityFilter { +public class SessionManagementFilter extends SpringSecurityFilter { //~ Static fields/initializers ===================================================================================== static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied"; @@ -40,7 +40,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter { private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl(); - public SessionFixationProtectionFilter(SecurityContextRepository securityContextRepository) { + public SessionManagementFilter(SecurityContextRepository securityContextRepository) { this.securityContextRepository = securityContextRepository; } diff --git a/web/src/test/java/org/springframework/security/web/session/SessionFixationProtectionFilterTests.java b/web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java similarity index 89% rename from web/src/test/java/org/springframework/security/web/session/SessionFixationProtectionFilterTests.java rename to web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java index 6402043e49..c0e4bc8be6 100644 --- a/web/src/test/java/org/springframework/security/web/session/SessionFixationProtectionFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java @@ -22,7 +22,7 @@ import org.springframework.security.web.context.SecurityContextRepository; * @author Luke Taylor * @version $Id$ */ -public class SessionFixationProtectionFilterTests { +public class SessionManagementFilterTests { @After public void clearContext() { @@ -32,7 +32,7 @@ public class SessionFixationProtectionFilterTests { @Test public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception { SecurityContextRepository repo = mock(SecurityContextRepository.class); - SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo); + SessionManagementFilter filter = new SessionManagementFilter(repo); HttpServletRequest request = new MockHttpServletRequest(); String sessionId = request.getSession().getId(); @@ -47,7 +47,7 @@ public class SessionFixationProtectionFilterTests { AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class); // mock that repo contains a security context when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true); - SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo); + SessionManagementFilter filter = new SessionManagementFilter(repo); filter.setAuthenticatedSessionStrategy(strategy); HttpServletRequest request = new MockHttpServletRequest(); authenticateUser(); @@ -61,7 +61,7 @@ public class SessionFixationProtectionFilterTests { public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception { SecurityContextRepository repo = mock(SecurityContextRepository.class); AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class); - SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo); + SessionManagementFilter filter = new SessionManagementFilter(repo); filter.setAuthenticatedSessionStrategy(strategy); HttpServletRequest request = new MockHttpServletRequest(); @@ -75,7 +75,7 @@ public class SessionFixationProtectionFilterTests { SecurityContextRepository repo = mock(SecurityContextRepository.class); // repo will return false to containsContext() AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class); - SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo); + SessionManagementFilter filter = new SessionManagementFilter(repo); filter.setAuthenticatedSessionStrategy(strategy); HttpServletRequest request = new MockHttpServletRequest(); authenticateUser();