SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy.
This commit is contained in:
parent
5e285b3692
commit
3e6054b69f
|
@ -19,7 +19,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
|
||||||
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
|
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
|
||||||
import org.springframework.security.web.authentication.www.BasicProcessingFilter;
|
import org.springframework.security.web.authentication.www.BasicProcessingFilter;
|
||||||
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
|
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
|
||||||
import org.springframework.security.web.session.SessionFixationProtectionFilter;
|
import org.springframework.security.web.session.SessionManagementFilter;
|
||||||
import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
|
import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
|
||||||
|
|
||||||
public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator{
|
public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator{
|
||||||
|
@ -52,7 +52,7 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
|
||||||
private void checkFilterStack(List<Filter> filters) {
|
private void checkFilterStack(List<Filter> filters) {
|
||||||
checkForDuplicates(SecurityContextPersistenceFilter.class, filters);
|
checkForDuplicates(SecurityContextPersistenceFilter.class, filters);
|
||||||
checkForDuplicates(UsernamePasswordAuthenticationProcessingFilter.class, filters);
|
checkForDuplicates(UsernamePasswordAuthenticationProcessingFilter.class, filters);
|
||||||
checkForDuplicates(SessionFixationProtectionFilter.class, filters);
|
checkForDuplicates(SessionManagementFilter.class, filters);
|
||||||
checkForDuplicates(BasicProcessingFilter.class, filters);
|
checkForDuplicates(BasicProcessingFilter.class, filters);
|
||||||
checkForDuplicates(SecurityContextHolderAwareRequestFilter.class, filters);
|
checkForDuplicates(SecurityContextHolderAwareRequestFilter.class, filters);
|
||||||
checkForDuplicates(ExceptionTranslationFilter.class, filters);
|
checkForDuplicates(ExceptionTranslationFilter.class, filters);
|
||||||
|
|
|
@ -67,7 +67,7 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
|
||||||
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
|
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
|
||||||
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
|
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
|
||||||
import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy;
|
import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy;
|
||||||
import org.springframework.security.web.session.SessionFixationProtectionFilter;
|
import org.springframework.security.web.session.SessionManagementFilter;
|
||||||
import org.springframework.security.web.util.AntUrlPathMatcher;
|
import org.springframework.security.web.util.AntUrlPathMatcher;
|
||||||
import org.springframework.security.web.util.RegexUrlPathMatcher;
|
import org.springframework.security.web.util.RegexUrlPathMatcher;
|
||||||
import org.springframework.security.web.util.UrlMatcher;
|
import org.springframework.security.web.util.UrlMatcher;
|
||||||
|
@ -917,7 +917,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
|
||||||
|
|
||||||
if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) {
|
if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) {
|
||||||
BeanDefinitionBuilder sessionFixationFilter =
|
BeanDefinitionBuilder sessionFixationFilter =
|
||||||
BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionFilter.class);
|
BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
|
||||||
sessionFixationFilter.addConstructorArgValue(contextRepoRef);
|
sessionFixationFilter.addConstructorArgValue(contextRepoRef);
|
||||||
|
|
||||||
BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);
|
BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);
|
||||||
|
|
|
@ -72,7 +72,7 @@ import org.springframework.security.web.authentication.www.BasicProcessingFilter
|
||||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
|
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
|
||||||
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
|
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
|
||||||
import org.springframework.security.web.session.SessionFixationProtectionFilter;
|
import org.springframework.security.web.session.SessionManagementFilter;
|
||||||
import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
|
import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
|
||||||
import org.springframework.util.ReflectionUtils;
|
import org.springframework.util.ReflectionUtils;
|
||||||
|
|
||||||
|
@ -139,7 +139,7 @@ public class HttpSecurityBeanDefinitionParserTests {
|
||||||
assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter);
|
assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter);
|
||||||
assertTrue(filters.next() instanceof AnonymousProcessingFilter);
|
assertTrue(filters.next() instanceof AnonymousProcessingFilter);
|
||||||
assertTrue(filters.next() instanceof ExceptionTranslationFilter);
|
assertTrue(filters.next() instanceof ExceptionTranslationFilter);
|
||||||
assertTrue(filters.next() instanceof SessionFixationProtectionFilter);
|
assertTrue(filters.next() instanceof SessionManagementFilter);
|
||||||
Object fsiObj = filters.next();
|
Object fsiObj = filters.next();
|
||||||
assertTrue(fsiObj instanceof FilterSecurityInterceptor);
|
assertTrue(fsiObj instanceof FilterSecurityInterceptor);
|
||||||
FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) fsiObj;
|
FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) fsiObj;
|
||||||
|
@ -639,7 +639,7 @@ public class HttpSecurityBeanDefinitionParserTests {
|
||||||
getFilter(UsernamePasswordAuthenticationProcessingFilter.class),"sessionStrategy.sessionRegistry");
|
getFilter(UsernamePasswordAuthenticationProcessingFilter.class),"sessionStrategy.sessionRegistry");
|
||||||
Object sessionRegistryFromController = FieldUtils.getFieldValue(getConcurrentSessionController(),"sessionRegistry");
|
Object sessionRegistryFromController = FieldUtils.getFieldValue(getConcurrentSessionController(),"sessionRegistry");
|
||||||
Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue(
|
Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue(
|
||||||
getFilter(SessionFixationProtectionFilter.class),"sessionStrategy.sessionRegistry");
|
getFilter(SessionManagementFilter.class),"sessionStrategy.sessionRegistry");
|
||||||
|
|
||||||
assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter);
|
assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter);
|
||||||
assertSame(sessionRegistry, sessionRegistryFromController);
|
assertSame(sessionRegistry, sessionRegistryFromController);
|
||||||
|
@ -744,7 +744,7 @@ public class HttpSecurityBeanDefinitionParserTests {
|
||||||
"<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
|
"<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
|
||||||
List<Filter> filters = getFilters("/someurl");
|
List<Filter> filters = getFilters("/someurl");
|
||||||
assertTrue(filters.get(8) instanceof ExceptionTranslationFilter);
|
assertTrue(filters.get(8) instanceof ExceptionTranslationFilter);
|
||||||
assertFalse(filters.get(9) instanceof SessionFixationProtectionFilter);
|
assertFalse(filters.get(9) instanceof SessionManagementFilter);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -27,7 +27,7 @@ import org.springframework.util.Assert;
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
* @since 2.0
|
* @since 2.0
|
||||||
*/
|
*/
|
||||||
public class SessionFixationProtectionFilter extends SpringSecurityFilter {
|
public class SessionManagementFilter extends SpringSecurityFilter {
|
||||||
//~ Static fields/initializers =====================================================================================
|
//~ Static fields/initializers =====================================================================================
|
||||||
|
|
||||||
static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
|
static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
|
||||||
|
@ -40,7 +40,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
|
||||||
|
|
||||||
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
|
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
|
||||||
|
|
||||||
public SessionFixationProtectionFilter(SecurityContextRepository securityContextRepository) {
|
public SessionManagementFilter(SecurityContextRepository securityContextRepository) {
|
||||||
this.securityContextRepository = securityContextRepository;
|
this.securityContextRepository = securityContextRepository;
|
||||||
}
|
}
|
||||||
|
|
|
@ -22,7 +22,7 @@ import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
* @author Luke Taylor
|
* @author Luke Taylor
|
||||||
* @version $Id$
|
* @version $Id$
|
||||||
*/
|
*/
|
||||||
public class SessionFixationProtectionFilterTests {
|
public class SessionManagementFilterTests {
|
||||||
|
|
||||||
@After
|
@After
|
||||||
public void clearContext() {
|
public void clearContext() {
|
||||||
|
@ -32,7 +32,7 @@ public class SessionFixationProtectionFilterTests {
|
||||||
@Test
|
@Test
|
||||||
public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception {
|
public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception {
|
||||||
SecurityContextRepository repo = mock(SecurityContextRepository.class);
|
SecurityContextRepository repo = mock(SecurityContextRepository.class);
|
||||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
|
SessionManagementFilter filter = new SessionManagementFilter(repo);
|
||||||
HttpServletRequest request = new MockHttpServletRequest();
|
HttpServletRequest request = new MockHttpServletRequest();
|
||||||
String sessionId = request.getSession().getId();
|
String sessionId = request.getSession().getId();
|
||||||
|
|
||||||
|
@ -47,7 +47,7 @@ public class SessionFixationProtectionFilterTests {
|
||||||
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
|
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
|
||||||
// mock that repo contains a security context
|
// mock that repo contains a security context
|
||||||
when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true);
|
when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true);
|
||||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
|
SessionManagementFilter filter = new SessionManagementFilter(repo);
|
||||||
filter.setAuthenticatedSessionStrategy(strategy);
|
filter.setAuthenticatedSessionStrategy(strategy);
|
||||||
HttpServletRequest request = new MockHttpServletRequest();
|
HttpServletRequest request = new MockHttpServletRequest();
|
||||||
authenticateUser();
|
authenticateUser();
|
||||||
|
@ -61,7 +61,7 @@ public class SessionFixationProtectionFilterTests {
|
||||||
public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception {
|
public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception {
|
||||||
SecurityContextRepository repo = mock(SecurityContextRepository.class);
|
SecurityContextRepository repo = mock(SecurityContextRepository.class);
|
||||||
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
|
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
|
||||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
|
SessionManagementFilter filter = new SessionManagementFilter(repo);
|
||||||
filter.setAuthenticatedSessionStrategy(strategy);
|
filter.setAuthenticatedSessionStrategy(strategy);
|
||||||
HttpServletRequest request = new MockHttpServletRequest();
|
HttpServletRequest request = new MockHttpServletRequest();
|
||||||
|
|
||||||
|
@ -75,7 +75,7 @@ public class SessionFixationProtectionFilterTests {
|
||||||
SecurityContextRepository repo = mock(SecurityContextRepository.class);
|
SecurityContextRepository repo = mock(SecurityContextRepository.class);
|
||||||
// repo will return false to containsContext()
|
// repo will return false to containsContext()
|
||||||
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
|
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
|
||||||
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
|
SessionManagementFilter filter = new SessionManagementFilter(repo);
|
||||||
filter.setAuthenticatedSessionStrategy(strategy);
|
filter.setAuthenticatedSessionStrategy(strategy);
|
||||||
HttpServletRequest request = new MockHttpServletRequest();
|
HttpServletRequest request = new MockHttpServletRequest();
|
||||||
authenticateUser();
|
authenticateUser();
|
Loading…
Reference in New Issue