mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-06-27 14:22:47 +00:00
Add Java Configuration InvalidSessionStrategy (#3827)
Allow configuring the InvalidSessionStrategy in Java Configuration. Fixes gh-3371
This commit is contained in:
Rob Winch
Joe Grandja
parent
b0028d4155
commit
51995dc187
@ -126,6 +126,19 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
|
|||||||
return this;
|
return this;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Setting this attribute will inject the provided invalidSessionStrategy into the
|
||||||
|
* {@link SessionManagementFilter}. When an invalid session ID is submitted, the
|
||||||
|
* strategy will be invoked, redirecting to the configured URL.
|
||||||
|
* @param invalidSessionStrategy the strategy to use when an invalid session ID is submitted.
|
||||||
|
* @return the {@link SessionManagementConfigurer} for further customization
|
||||||
|
*/
|
||||||
|
public SessionManagementConfigurer<H> invalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy) {
|
||||||
|
Assert.notNull(invalidSessionStrategy, "invalidSessionStrategy");
|
||||||
|
this.invalidSessionStrategy = invalidSessionStrategy;
|
||||||
|
return this;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Defines the URL of the error page which should be shown when the
|
* Defines the URL of the error page which should be shown when the
|
||||||
* SessionAuthenticationStrategy raises an exception. If not set, an unauthorized
|
* SessionAuthenticationStrategy raises an exception. If not set, an unauthorized
|
||||||
@ -401,9 +414,10 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
|
|||||||
.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler(
|
.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler(
|
||||||
sessionAuthenticationErrorUrl));
|
sessionAuthenticationErrorUrl));
|
||||||
}
|
}
|
||||||
if (invalidSessionUrl != null) {
|
InvalidSessionStrategy strategy = getInvalidSessionStrategy();
|
||||||
|
if (strategy != null) {
|
||||||
sessionManagementFilter
|
sessionManagementFilter
|
||||||
.setInvalidSessionStrategy(getInvalidSessionStrategy());
|
.setInvalidSessionStrategy(strategy);
|
||||||
}
|
}
|
||||||
AuthenticationTrustResolver trustResolver = http
|
AuthenticationTrustResolver trustResolver = http
|
||||||
.getSharedObject(AuthenticationTrustResolver.class);
|
.getSharedObject(AuthenticationTrustResolver.class);
|
||||||
@ -422,16 +436,17 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Gets the {@link InvalidSessionStrategy} to use. If {@link #invalidSessionUrl} is
|
* Gets the {@link InvalidSessionStrategy} to use. If null and
|
||||||
* null, returns null otherwise {@link SimpleRedirectInvalidSessionStrategy} is used.
|
* {@link #invalidSessionUrl} is not null defaults to
|
||||||
|
* {@link SimpleRedirectInvalidSessionStrategy}.
|
||||||
*
|
*
|
||||||
* @return the {@link InvalidSessionStrategy} to use
|
* @return the {@link InvalidSessionStrategy} to use
|
||||||
*/
|
*/
|
||||||
InvalidSessionStrategy getInvalidSessionStrategy() {
|
InvalidSessionStrategy getInvalidSessionStrategy() {
|
||||||
if (invalidSessionUrl == null) {
|
if(invalidSessionStrategy != null) {
|
||||||
return null;
|
return invalidSessionStrategy;
|
||||||
}
|
}
|
||||||
if (invalidSessionStrategy == null) {
|
if (invalidSessionUrl != null) {
|
||||||
invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy(
|
invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy(
|
||||||
invalidSessionUrl);
|
invalidSessionUrl);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -32,6 +32,7 @@ import org.springframework.security.web.authentication.session.SessionFixationPr
|
|||||||
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
|
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
|
||||||
import org.springframework.security.web.session.ConcurrentSessionFilter
|
import org.springframework.security.web.session.ConcurrentSessionFilter
|
||||||
import org.springframework.security.web.session.SessionManagementFilter
|
import org.springframework.security.web.session.SessionManagementFilter
|
||||||
|
import org.springframework.security.web.session.InvalidSessionStrategy
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
@ -85,6 +86,28 @@ class NamespaceSessionManagementTests extends BaseSpringSpec {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// gh-3371
|
||||||
|
def "http/session-management custom invalidationstrategy"() {
|
||||||
|
setup:
|
||||||
|
InvalidSessionStrategyConfig.ISS = Mock(InvalidSessionStrategy)
|
||||||
|
when:
|
||||||
|
loadConfig(InvalidSessionStrategyConfig)
|
||||||
|
then:
|
||||||
|
findFilter(SessionManagementFilter).invalidSessionStrategy == InvalidSessionStrategyConfig.ISS
|
||||||
|
}
|
||||||
|
|
||||||
|
@EnableWebSecurity
|
||||||
|
static class InvalidSessionStrategyConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
static InvalidSessionStrategy ISS
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
http
|
||||||
|
.sessionManagement()
|
||||||
|
.invalidSessionStrategy(ISS)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
def "http/session-management refs"() {
|
def "http/session-management refs"() {
|
||||||
setup:
|
setup:
|
||||||
RefsSessionManagementConfig.SAS = Mock(SessionAuthenticationStrategy)
|
RefsSessionManagementConfig.SAS = Mock(SessionAuthenticationStrategy)
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user