SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy.

This commit is contained in:
Luke Taylor 2009-07-29 00:52:30 +00:00
parent 5e285b3692
commit 3e6054b69f
5 changed files with 15 additions and 15 deletions

View File

@ -19,7 +19,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.authentication.www.BasicProcessingFilter; import org.springframework.security.web.authentication.www.BasicProcessingFilter;
import org.springframework.security.web.context.SecurityContextPersistenceFilter; import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.session.SessionFixationProtectionFilter; import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter; import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator{ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator{
@ -52,7 +52,7 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
private void checkFilterStack(List<Filter> filters) { private void checkFilterStack(List<Filter> filters) {
checkForDuplicates(SecurityContextPersistenceFilter.class, filters); checkForDuplicates(SecurityContextPersistenceFilter.class, filters);
checkForDuplicates(UsernamePasswordAuthenticationProcessingFilter.class, filters); checkForDuplicates(UsernamePasswordAuthenticationProcessingFilter.class, filters);
checkForDuplicates(SessionFixationProtectionFilter.class, filters); checkForDuplicates(SessionManagementFilter.class, filters);
checkForDuplicates(BasicProcessingFilter.class, filters); checkForDuplicates(BasicProcessingFilter.class, filters);
checkForDuplicates(SecurityContextHolderAwareRequestFilter.class, filters); checkForDuplicates(SecurityContextHolderAwareRequestFilter.class, filters);
checkForDuplicates(ExceptionTranslationFilter.class, filters); checkForDuplicates(ExceptionTranslationFilter.class, filters);

View File

@ -67,7 +67,7 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter; import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy; import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy;
import org.springframework.security.web.session.SessionFixationProtectionFilter; import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.util.AntUrlPathMatcher; import org.springframework.security.web.util.AntUrlPathMatcher;
import org.springframework.security.web.util.RegexUrlPathMatcher; import org.springframework.security.web.util.RegexUrlPathMatcher;
import org.springframework.security.web.util.UrlMatcher; import org.springframework.security.web.util.UrlMatcher;
@ -917,7 +917,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) { if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) {
BeanDefinitionBuilder sessionFixationFilter = BeanDefinitionBuilder sessionFixationFilter =
BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionFilter.class); BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
sessionFixationFilter.addConstructorArgValue(contextRepoRef); sessionFixationFilter.addConstructorArgValue(contextRepoRef);
BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class); BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);

View File

@ -72,7 +72,7 @@ import org.springframework.security.web.authentication.www.BasicProcessingFilter
import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextPersistenceFilter; import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter; import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.session.SessionFixationProtectionFilter; import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter; import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
import org.springframework.util.ReflectionUtils; import org.springframework.util.ReflectionUtils;
@ -139,7 +139,7 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter); assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter);
assertTrue(filters.next() instanceof AnonymousProcessingFilter); assertTrue(filters.next() instanceof AnonymousProcessingFilter);
assertTrue(filters.next() instanceof ExceptionTranslationFilter); assertTrue(filters.next() instanceof ExceptionTranslationFilter);
assertTrue(filters.next() instanceof SessionFixationProtectionFilter); assertTrue(filters.next() instanceof SessionManagementFilter);
Object fsiObj = filters.next(); Object fsiObj = filters.next();
assertTrue(fsiObj instanceof FilterSecurityInterceptor); assertTrue(fsiObj instanceof FilterSecurityInterceptor);
FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) fsiObj; FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) fsiObj;
@ -639,7 +639,7 @@ public class HttpSecurityBeanDefinitionParserTests {
getFilter(UsernamePasswordAuthenticationProcessingFilter.class),"sessionStrategy.sessionRegistry"); getFilter(UsernamePasswordAuthenticationProcessingFilter.class),"sessionStrategy.sessionRegistry");
Object sessionRegistryFromController = FieldUtils.getFieldValue(getConcurrentSessionController(),"sessionRegistry"); Object sessionRegistryFromController = FieldUtils.getFieldValue(getConcurrentSessionController(),"sessionRegistry");
Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue( Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue(
getFilter(SessionFixationProtectionFilter.class),"sessionStrategy.sessionRegistry"); getFilter(SessionManagementFilter.class),"sessionStrategy.sessionRegistry");
assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter); assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter);
assertSame(sessionRegistry, sessionRegistryFromController); assertSame(sessionRegistry, sessionRegistryFromController);
@ -744,7 +744,7 @@ public class HttpSecurityBeanDefinitionParserTests {
"<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML); "<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
List<Filter> filters = getFilters("/someurl"); List<Filter> filters = getFilters("/someurl");
assertTrue(filters.get(8) instanceof ExceptionTranslationFilter); assertTrue(filters.get(8) instanceof ExceptionTranslationFilter);
assertFalse(filters.get(9) instanceof SessionFixationProtectionFilter); assertFalse(filters.get(9) instanceof SessionManagementFilter);
} }
/** /**

View File

@ -27,7 +27,7 @@ import org.springframework.util.Assert;
* @version $Id$ * @version $Id$
* @since 2.0 * @since 2.0
*/ */
public class SessionFixationProtectionFilter extends SpringSecurityFilter { public class SessionManagementFilter extends SpringSecurityFilter {
//~ Static fields/initializers ===================================================================================== //~ Static fields/initializers =====================================================================================
static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied"; static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
@ -40,7 +40,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl(); private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
public SessionFixationProtectionFilter(SecurityContextRepository securityContextRepository) { public SessionManagementFilter(SecurityContextRepository securityContextRepository) {
this.securityContextRepository = securityContextRepository; this.securityContextRepository = securityContextRepository;
} }

View File

@ -22,7 +22,7 @@ import org.springframework.security.web.context.SecurityContextRepository;
* @author Luke Taylor * @author Luke Taylor
* @version $Id$ * @version $Id$
*/ */
public class SessionFixationProtectionFilterTests { public class SessionManagementFilterTests {
@After @After
public void clearContext() { public void clearContext() {
@ -32,7 +32,7 @@ public class SessionFixationProtectionFilterTests {
@Test @Test
public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception { public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class); SecurityContextRepository repo = mock(SecurityContextRepository.class);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo); SessionManagementFilter filter = new SessionManagementFilter(repo);
HttpServletRequest request = new MockHttpServletRequest(); HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId(); String sessionId = request.getSession().getId();
@ -47,7 +47,7 @@ public class SessionFixationProtectionFilterTests {
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class); AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
// mock that repo contains a security context // mock that repo contains a security context
when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true); when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo); SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy); filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest(); HttpServletRequest request = new MockHttpServletRequest();
authenticateUser(); authenticateUser();
@ -61,7 +61,7 @@ public class SessionFixationProtectionFilterTests {
public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception { public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class); SecurityContextRepository repo = mock(SecurityContextRepository.class);
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class); AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo); SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy); filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest(); HttpServletRequest request = new MockHttpServletRequest();
@ -75,7 +75,7 @@ public class SessionFixationProtectionFilterTests {
SecurityContextRepository repo = mock(SecurityContextRepository.class); SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext() // repo will return false to containsContext()
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class); AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo); SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy); filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest(); HttpServletRequest request = new MockHttpServletRequest();
authenticateUser(); authenticateUser();