SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy.

config/src/main/java/org/springframework/security/config/http/DefaultFilterChainValidator.java

@@ -19,7 +19,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
 import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
 import org.springframework.security.web.authentication.www.BasicProcessingFilter;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
-import org.springframework.security.web.session.SessionFixationProtectionFilter;
+import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
 
 public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator{
@@ -52,7 +52,7 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
     private void checkFilterStack(List<Filter> filters) {
         checkForDuplicates(SecurityContextPersistenceFilter.class, filters);
         checkForDuplicates(UsernamePasswordAuthenticationProcessingFilter.class, filters);
-        checkForDuplicates(SessionFixationProtectionFilter.class, filters);
+        checkForDuplicates(SessionManagementFilter.class, filters);
         checkForDuplicates(BasicProcessingFilter.class, filters);
         checkForDuplicates(SecurityContextHolderAwareRequestFilter.class, filters);
         checkForDuplicates(ExceptionTranslationFilter.class, filters);

config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java

@@ -67,7 +67,7 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
 import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy;
-import org.springframework.security.web.session.SessionFixationProtectionFilter;
+import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.security.web.util.AntUrlPathMatcher;
 import org.springframework.security.web.util.RegexUrlPathMatcher;
 import org.springframework.security.web.util.UrlMatcher;
@@ -917,7 +917,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
 
         if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) {
             BeanDefinitionBuilder sessionFixationFilter =
-                BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionFilter.class);
+                BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
             sessionFixationFilter.addConstructorArgValue(contextRepoRef);
 
             BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);

config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java

@@ -72,7 +72,7 @@ import org.springframework.security.web.authentication.www.BasicProcessingFilter
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
-import org.springframework.security.web.session.SessionFixationProtectionFilter;
+import org.springframework.security.web.session.SessionManagementFilter;
 import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
 import org.springframework.util.ReflectionUtils;
 
@@ -139,7 +139,7 @@ public class HttpSecurityBeanDefinitionParserTests {
         assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter);
         assertTrue(filters.next() instanceof AnonymousProcessingFilter);
         assertTrue(filters.next() instanceof ExceptionTranslationFilter);
-        assertTrue(filters.next() instanceof SessionFixationProtectionFilter);
+        assertTrue(filters.next() instanceof SessionManagementFilter);
         Object fsiObj = filters.next();
         assertTrue(fsiObj instanceof FilterSecurityInterceptor);
         FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) fsiObj;
@@ -639,7 +639,7 @@ public class HttpSecurityBeanDefinitionParserTests {
                 getFilter(UsernamePasswordAuthenticationProcessingFilter.class),"sessionStrategy.sessionRegistry");
         Object sessionRegistryFromController = FieldUtils.getFieldValue(getConcurrentSessionController(),"sessionRegistry");
         Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue(
-                getFilter(SessionFixationProtectionFilter.class),"sessionStrategy.sessionRegistry");
+                getFilter(SessionManagementFilter.class),"sessionStrategy.sessionRegistry");
 
         assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter);
         assertSame(sessionRegistry, sessionRegistryFromController);
@@ -744,7 +744,7 @@ public class HttpSecurityBeanDefinitionParserTests {
                 "<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
         List<Filter> filters = getFilters("/someurl");
         assertTrue(filters.get(8) instanceof ExceptionTranslationFilter);
-        assertFalse(filters.get(9) instanceof SessionFixationProtectionFilter);
+        assertFalse(filters.get(9) instanceof SessionManagementFilter);
     }
 
     /**

web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java

@@ -27,7 +27,7 @@ import org.springframework.util.Assert;
  * @version $Id$
  * @since 2.0
  */
-public class SessionFixationProtectionFilter extends SpringSecurityFilter {
+public class SessionManagementFilter extends SpringSecurityFilter {
     //~ Static fields/initializers =====================================================================================
 
     static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
@@ -40,7 +40,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
 
     private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
 
-    public SessionFixationProtectionFilter(SecurityContextRepository securityContextRepository) {
+    public SessionManagementFilter(SecurityContextRepository securityContextRepository) {
         this.securityContextRepository = securityContextRepository;
     }
 

web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java

@@ -22,7 +22,7 @@ import org.springframework.security.web.context.SecurityContextRepository;
  * @author Luke Taylor
  * @version $Id$
  */
-public class SessionFixationProtectionFilterTests {
+public class SessionManagementFilterTests {
 
     @After
     public void clearContext() {
@@ -32,7 +32,7 @@ public class SessionFixationProtectionFilterTests {
     @Test
     public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception {
         SecurityContextRepository repo = mock(SecurityContextRepository.class);
-        SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
+        SessionManagementFilter filter = new SessionManagementFilter(repo);
         HttpServletRequest request = new MockHttpServletRequest();
         String sessionId = request.getSession().getId();
 
@@ -47,7 +47,7 @@ public class SessionFixationProtectionFilterTests {
         AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
         // mock that repo contains a security context
         when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true);
-        SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
+        SessionManagementFilter filter = new SessionManagementFilter(repo);
         filter.setAuthenticatedSessionStrategy(strategy);
         HttpServletRequest request = new MockHttpServletRequest();
         authenticateUser();
@@ -61,7 +61,7 @@ public class SessionFixationProtectionFilterTests {
     public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception {
         SecurityContextRepository repo = mock(SecurityContextRepository.class);
         AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
-        SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
+        SessionManagementFilter filter = new SessionManagementFilter(repo);
         filter.setAuthenticatedSessionStrategy(strategy);
         HttpServletRequest request = new MockHttpServletRequest();
 
@@ -75,7 +75,7 @@ public class SessionFixationProtectionFilterTests {
         SecurityContextRepository repo = mock(SecurityContextRepository.class);
         // repo will return false to containsContext()
         AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
-        SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
+        SessionManagementFilter filter = new SessionManagementFilter(repo);
         filter.setAuthenticatedSessionStrategy(strategy);
         HttpServletRequest request = new MockHttpServletRequest();
         authenticateUser();