Add Java Configuration InvalidSessionStrategy (#3827)

Allow configuring the InvalidSessionStrategy in Java Configuration. Fixes gh-3371
2016-04-20 08:59:27 -05:00 · 2016-04-20 08:59:27 -05:00 · 51995dc187
parent b0028d4155
commit 51995dc187
2 changed files with 45 additions and 7 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
@ -126,6 +126,19 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 		return this;
 	}

+	/**
+	 * Setting this attribute will inject the provided invalidSessionStrategy into the
+	 * {@link SessionManagementFilter}. When an invalid session ID is submitted, the
+	 * strategy will be invoked, redirecting to the configured URL.
+	 * @param invalidSessionStrategy the strategy to use when an invalid session ID is submitted.
+	 * @return the {@link SessionManagementConfigurer} for further customization
+	 */
+	public SessionManagementConfigurer<H> invalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy) {
+		Assert.notNull(invalidSessionStrategy, "invalidSessionStrategy");
+		this.invalidSessionStrategy = invalidSessionStrategy;
+		return this;
+	}
+
 	/**
 	 * Defines the URL of the error page which should be shown when the
 	 * SessionAuthenticationStrategy raises an exception. If not set, an unauthorized
@ -401,9 +414,10 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 					.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler(
 							sessionAuthenticationErrorUrl));
 		}
-		if (invalidSessionUrl != null) {
+		InvalidSessionStrategy strategy = getInvalidSessionStrategy();
+		if (strategy != null) {
 			sessionManagementFilter
-					.setInvalidSessionStrategy(getInvalidSessionStrategy());
+					.setInvalidSessionStrategy(strategy);
 		}
 		AuthenticationTrustResolver trustResolver = http
 				.getSharedObject(AuthenticationTrustResolver.class);
@ -422,16 +436,17 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 	}

 	/**
-	 * Gets the {@link InvalidSessionStrategy} to use. If {@link #invalidSessionUrl} is
-	 * null, returns null otherwise {@link SimpleRedirectInvalidSessionStrategy} is used.
+	 * Gets the {@link InvalidSessionStrategy} to use. If null and
+	 * {@link #invalidSessionUrl} is not null defaults to
+	 * {@link SimpleRedirectInvalidSessionStrategy}.
 	 *
 	 * @return the {@link InvalidSessionStrategy} to use
 	 */
 	InvalidSessionStrategy getInvalidSessionStrategy() {
-		if (invalidSessionUrl == null) {
-			return null;
+		if(invalidSessionStrategy != null) {
+			return invalidSessionStrategy;
 		}
-		if (invalidSessionStrategy == null) {
+		if (invalidSessionUrl != null) {
 			invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy(
 					invalidSessionUrl);
 		}
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.groovy
@ -32,6 +32,7 @@ import org.springframework.security.web.authentication.session.SessionFixationPr
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
 import org.springframework.security.web.session.ConcurrentSessionFilter
 import org.springframework.security.web.session.SessionManagementFilter
+import org.springframework.security.web.session.InvalidSessionStrategy

 /**
 *
@ -85,6 +86,28 @@ class NamespaceSessionManagementTests extends BaseSpringSpec {
 		}
 	}

+	// gh-3371
+	def "http/session-management custom invalidationstrategy"() {
+		setup:
+			InvalidSessionStrategyConfig.ISS = Mock(InvalidSessionStrategy)
+		when:
+			loadConfig(InvalidSessionStrategyConfig)
+		then:
+			findFilter(SessionManagementFilter).invalidSessionStrategy == InvalidSessionStrategyConfig.ISS
+	}
+
+	@EnableWebSecurity
+	static class InvalidSessionStrategyConfig extends WebSecurityConfigurerAdapter {
+		static InvalidSessionStrategy ISS
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			http
+				.sessionManagement()
+					.invalidSessionStrategy(ISS)
+		}
+	}
+
 	def "http/session-management refs"() {
 		setup:
 			RefsSessionManagementConfig.SAS = Mock(SessionAuthenticationStrategy)