SessionRegistryImpl is now aware of SessionIdChangedEvent

core/src/main/java/org/springframework/security/core/session/SessionIdChangedEvent.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2002-2016 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.security.core.session;
+
+import org.springframework.context.ApplicationEvent;
+
+public abstract class SessionIdChangedEvent extends ApplicationEvent {
+
+	public SessionIdChangedEvent(Object source) {
+		super(source);
+	}
+
+	public abstract String getOldSessionId();
+
+	public abstract String getNewSessionId();
+}

core/src/main/java/org/springframework/security/core/session/SessionRegistryImpl.java

@@ -18,6 +18,7 @@ package org.springframework.security.core.session;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
+import org.springframework.context.ApplicationEvent;
 import org.springframework.context.ApplicationListener;
 import org.springframework.util.Assert;
 
@@ -40,7 +41,7 @@ import java.util.concurrent.CopyOnWriteArraySet;
  * @author Luke Taylor
  */
 public class SessionRegistryImpl implements SessionRegistry,
-		ApplicationListener<SessionDestroyedEvent> {
+		ApplicationListener<ApplicationEvent> {
 
 	// ~ Instance fields
 	// ================================================================================================
@@ -101,9 +102,18 @@ public class SessionRegistryImpl implements SessionRegistry,
 		return sessionIds.get(sessionId);
 	}
 
-	public void onApplicationEvent(SessionDestroyedEvent event) {
+	public void onApplicationEvent(ApplicationEvent event) {
-		String sessionId = event.getId();
+		if (event instanceof SessionDestroyedEvent) {
-		removeSessionInformation(sessionId);
+			SessionDestroyedEvent sessionDestroyedEvent = (SessionDestroyedEvent) event;
+			String sessionId = sessionDestroyedEvent.getId();
+			removeSessionInformation(sessionId);
+		} else if (event instanceof SessionIdChangedEvent) {
+			SessionIdChangedEvent sessionIdChangedEvent = (SessionIdChangedEvent) event;
+			String oldSessionId = sessionIdChangedEvent.getOldSessionId();
+			Object principal = sessionIds.get(oldSessionId).getPrincipal();
+			removeSessionInformation(oldSessionId);
+			registerNewSession(sessionIdChangedEvent.getNewSessionId(), principal);
+		}
 	}
 
 	public void refreshLastRequest(String sessionId) {

core/src/test/java/org/springframework/security/core/session/SessionRegistryImplTests.java

@@ -69,6 +69,33 @@ public class SessionRegistryImplTests {
 		assertThat(sessionRegistry.getSessionInformation(sessionId)).isNull();
 	}
 
+	@Test
+	public void sessionIdChangedEventRemovesOldSessionAndAddsANewSession() {
+		Object principal = "Some principal object";
+		final String sessionId = "zzzz";
+		final String newSessionId = "123";
+
+		// Register new Session
+		sessionRegistry.registerNewSession(sessionId, principal);
+
+		// De-register session via an ApplicationEvent
+		sessionRegistry.onApplicationEvent(new SessionIdChangedEvent("") {
+			@Override
+			public String getOldSessionId() {
+				return sessionId;
+			}
+
+			@Override
+			public String getNewSessionId() {
+				return newSessionId;
+			}
+		});
+
+		assertThat(sessionRegistry.getSessionInformation(sessionId)).isNull();
+		assertThat(sessionRegistry.getSessionInformation(newSessionId)).isNotNull();
+		assertThat(sessionRegistry.getSessionInformation(newSessionId).getPrincipal()).isEqualTo(principal);
+	}
+
 	@Test
 	public void testMultiplePrincipals() {
 		Object principal1 = "principal_1";

web/src/main/java/org/springframework/security/web/session/HttpSessionEventPublisher.java

@@ -25,6 +25,7 @@ import org.springframework.security.web.context.support.SecurityWebApplicationCo
 
 import javax.servlet.ServletContext;
 import javax.servlet.http.HttpSessionEvent;
+import javax.servlet.http.HttpSessionIdListener;
 import javax.servlet.http.HttpSessionListener;
 
 /**
@@ -44,7 +45,7 @@ import javax.servlet.http.HttpSessionListener;
  *
  * @author Ray Krueger
  */
-public class HttpSessionEventPublisher implements HttpSessionListener {
+public class HttpSessionEventPublisher implements HttpSessionListener, HttpSessionIdListener {
 	// ~ Static fields/initializers
 	// =====================================================================================
 
@@ -90,4 +91,16 @@ public class HttpSessionEventPublisher implements HttpSessionListener {
 
 		getContext(event.getSession().getServletContext()).publishEvent(e);
 	}
+
+	@Override
+	public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) {
+		HttpSessionIdChangedEvent e = new HttpSessionIdChangedEvent(event.getSession(), oldSessionId);
+		Log log = LogFactory.getLog(LOGGER_NAME);
+
+		if (log.isDebugEnabled()) {
+			log.debug("Publishing event: " + e);
+		}
+
+		getContext(event.getSession().getServletContext()).publishEvent(e);
+	}
 }

web/src/main/java/org/springframework/security/web/session/HttpSessionIdChangedEvent.java

@@ -0,0 +1,48 @@
+/*
+ * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.session;
+
+import javax.servlet.http.HttpSession;
+
+import org.springframework.security.core.session.SessionIdChangedEvent;
+
+/**
+ * Published by the {@link HttpSessionEventPublisher} when an {@code HttpSession} id
+ * is changed
+ *
+ */
+public class HttpSessionIdChangedEvent extends SessionIdChangedEvent {
+	private final String oldSessionId;
+	private final String newSessionid;
+	// ~ Constructors
+	// ===================================================================================================
+
+	public HttpSessionIdChangedEvent(HttpSession session, String oldSessionId) {
+		super(session);
+		this.oldSessionId = oldSessionId;
+		this.newSessionid = session.getId();
+	}
+
+	public String getOldSessionId() {
+		return oldSessionId;
+	}
+
+	@Override
+	public String getNewSessionId() {
+		return newSessionid;
+	}
+}

web/src/test/java/org/springframework/security/web/session/HttpSessionEventPublisherTests.java

@@ -72,6 +72,11 @@ public class HttpSessionEventPublisherTests {
 		assertThat(listener.getDestroyedEvent()).isNotNull();
 		assertThat(listener.getCreatedEvent()).isNull();
 		assertThat(listener.getDestroyedEvent().getSession()).isEqualTo(session);
+
+		publisher.sessionIdChanged(event, "oldSessionId");
+		assertThat(listener.getSessionIdChangedEvent()).isNotNull();
+		assertThat(listener.getSessionIdChangedEvent().getOldSessionId()).isEqualTo("oldSessionId");
+		listener.setSessionIdChangedEvent(null);
 	}
 
 	@Test
@@ -108,6 +113,11 @@ public class HttpSessionEventPublisherTests {
 		assertThat(listener.getDestroyedEvent()).isNotNull();
 		assertThat(listener.getCreatedEvent()).isNull();
 		assertThat(listener.getDestroyedEvent().getSession()).isEqualTo(session);
+
+		publisher.sessionIdChanged(event, "oldSessionId");
+		assertThat(listener.getSessionIdChangedEvent()).isNotNull();
+		assertThat(listener.getSessionIdChangedEvent().getOldSessionId()).isEqualTo("oldSessionId");
+		listener.setSessionIdChangedEvent(null);
 	}
 
 	// SEC-2599
@@ -131,4 +141,14 @@ public class HttpSessionEventPublisherTests {
 
 		publisher.sessionDestroyed(event);
 	}
+
+	@Test(expected = IllegalStateException.class)
+	public void sessionIdChangeNullApplicationContext() {
+		HttpSessionEventPublisher publisher = new HttpSessionEventPublisher();
+		MockServletContext servletContext = new MockServletContext();
+		MockHttpSession session = new MockHttpSession(servletContext);
+		HttpSessionEvent event = new HttpSessionEvent(session);
+
+		publisher.sessionIdChanged(event, "oldSessionId");
+	}
 }

web/src/test/java/org/springframework/security/web/session/MockApplicationListener.java

@@ -32,6 +32,7 @@ public class MockApplicationListener implements ApplicationListener<ApplicationE
 
 	private HttpSessionCreatedEvent createdEvent;
 	private HttpSessionDestroyedEvent destroyedEvent;
+	private HttpSessionIdChangedEvent sessionIdChangedEvent;
 
 	// ~ Methods
 	// ========================================================================================================
@@ -51,6 +52,9 @@ public class MockApplicationListener implements ApplicationListener<ApplicationE
 		else if (event instanceof HttpSessionDestroyedEvent) {
 			destroyedEvent = (HttpSessionDestroyedEvent) event;
 		}
+		else if (event instanceof HttpSessionIdChangedEvent) {
+			sessionIdChangedEvent = (HttpSessionIdChangedEvent) event;
+		}
 	}
 
 	public void setCreatedEvent(HttpSessionCreatedEvent createdEvent) {
@@ -60,4 +64,12 @@ public class MockApplicationListener implements ApplicationListener<ApplicationE
 	public void setDestroyedEvent(HttpSessionDestroyedEvent destroyedEvent) {
 		this.destroyedEvent = destroyedEvent;
 	}
+
+	public void setSessionIdChangedEvent(HttpSessionIdChangedEvent sessionIdChangedEvent) {
+		this.sessionIdChangedEvent = sessionIdChangedEvent;
+	}
+
+	public HttpSessionIdChangedEvent getSessionIdChangedEvent() {
+		return sessionIdChangedEvent;
+	}
 }