SEC-1211: Rename SessionFixationProtectionFilter to SessionManagementFilter, since it no longer performs session-fixation protection directly, but just executes the AuthenticatedSessionStrategy.

This commit is contained in:
Luke Taylor 2009-07-29 00:52:30 +00:00
parent 5e285b3692
commit 3e6054b69f
5 changed files with 15 additions and 15 deletions

View File

@ -19,7 +19,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.authentication.www.BasicProcessingFilter;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.session.SessionFixationProtectionFilter;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
public class DefaultFilterChainValidator implements FilterChainProxy.FilterChainValidator{
@ -52,7 +52,7 @@ public class DefaultFilterChainValidator implements FilterChainProxy.FilterChain
private void checkFilterStack(List<Filter> filters) {
checkForDuplicates(SecurityContextPersistenceFilter.class, filters);
checkForDuplicates(UsernamePasswordAuthenticationProcessingFilter.class, filters);
checkForDuplicates(SessionFixationProtectionFilter.class, filters);
checkForDuplicates(SessionManagementFilter.class, filters);
checkForDuplicates(BasicProcessingFilter.class, filters);
checkForDuplicates(SecurityContextHolderAwareRequestFilter.class, filters);
checkForDuplicates(ExceptionTranslationFilter.class, filters);

View File

@ -67,7 +67,7 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter
import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy;
import org.springframework.security.web.session.SessionFixationProtectionFilter;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.util.AntUrlPathMatcher;
import org.springframework.security.web.util.RegexUrlPathMatcher;
import org.springframework.security.web.util.UrlMatcher;
@ -917,7 +917,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
if (!sessionFixationAttribute.equals(OPT_SESSION_FIXATION_NO_PROTECTION)) {
BeanDefinitionBuilder sessionFixationFilter =
BeanDefinitionBuilder.rootBeanDefinition(SessionFixationProtectionFilter.class);
BeanDefinitionBuilder.rootBeanDefinition(SessionManagementFilter.class);
sessionFixationFilter.addConstructorArgValue(contextRepoRef);
BeanDefinitionBuilder sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class);

View File

@ -72,7 +72,7 @@ import org.springframework.security.web.authentication.www.BasicProcessingFilter
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.savedrequest.RequestCacheAwareFilter;
import org.springframework.security.web.session.SessionFixationProtectionFilter;
import org.springframework.security.web.session.SessionManagementFilter;
import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter;
import org.springframework.util.ReflectionUtils;
@ -139,7 +139,7 @@ public class HttpSecurityBeanDefinitionParserTests {
assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter);
assertTrue(filters.next() instanceof AnonymousProcessingFilter);
assertTrue(filters.next() instanceof ExceptionTranslationFilter);
assertTrue(filters.next() instanceof SessionFixationProtectionFilter);
assertTrue(filters.next() instanceof SessionManagementFilter);
Object fsiObj = filters.next();
assertTrue(fsiObj instanceof FilterSecurityInterceptor);
FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) fsiObj;
@ -639,7 +639,7 @@ public class HttpSecurityBeanDefinitionParserTests {
getFilter(UsernamePasswordAuthenticationProcessingFilter.class),"sessionStrategy.sessionRegistry");
Object sessionRegistryFromController = FieldUtils.getFieldValue(getConcurrentSessionController(),"sessionRegistry");
Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue(
getFilter(SessionFixationProtectionFilter.class),"sessionStrategy.sessionRegistry");
getFilter(SessionManagementFilter.class),"sessionStrategy.sessionRegistry");
assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter);
assertSame(sessionRegistry, sessionRegistryFromController);
@ -744,7 +744,7 @@ public class HttpSecurityBeanDefinitionParserTests {
"<http auto-config='true' session-fixation-protection='none'/>" + AUTH_PROVIDER_XML);
List<Filter> filters = getFilters("/someurl");
assertTrue(filters.get(8) instanceof ExceptionTranslationFilter);
assertFalse(filters.get(9) instanceof SessionFixationProtectionFilter);
assertFalse(filters.get(9) instanceof SessionManagementFilter);
}
/**

View File

@ -27,7 +27,7 @@ import org.springframework.util.Assert;
* @version $Id$
* @since 2.0
*/
public class SessionFixationProtectionFilter extends SpringSecurityFilter {
public class SessionManagementFilter extends SpringSecurityFilter {
//~ Static fields/initializers =====================================================================================
static final String FILTER_APPLIED = "__spring_security_session_fixation_filter_applied";
@ -40,7 +40,7 @@ public class SessionFixationProtectionFilter extends SpringSecurityFilter {
private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl();
public SessionFixationProtectionFilter(SecurityContextRepository securityContextRepository) {
public SessionManagementFilter(SecurityContextRepository securityContextRepository) {
this.securityContextRepository = securityContextRepository;
}

View File

@ -22,7 +22,7 @@ import org.springframework.security.web.context.SecurityContextRepository;
* @author Luke Taylor
* @version $Id$
*/
public class SessionFixationProtectionFilterTests {
public class SessionManagementFilterTests {
@After
public void clearContext() {
@ -32,7 +32,7 @@ public class SessionFixationProtectionFilterTests {
@Test
public void newSessionShouldNotBeCreatedIfSessionExistsAndUserIsNotAuthenticated() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
SessionManagementFilter filter = new SessionManagementFilter(repo);
HttpServletRequest request = new MockHttpServletRequest();
String sessionId = request.getSession().getId();
@ -47,7 +47,7 @@ public class SessionFixationProtectionFilterTests {
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
// mock that repo contains a security context
when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest();
authenticateUser();
@ -61,7 +61,7 @@ public class SessionFixationProtectionFilterTests {
public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest();
@ -75,7 +75,7 @@ public class SessionFixationProtectionFilterTests {
SecurityContextRepository repo = mock(SecurityContextRepository.class);
// repo will return false to containsContext()
AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class);
SessionFixationProtectionFilter filter = new SessionFixationProtectionFilter(repo);
SessionManagementFilter filter = new SessionManagementFilter(repo);
filter.setAuthenticatedSessionStrategy(strategy);
HttpServletRequest request = new MockHttpServletRequest();
authenticateUser();