SessionRegistryImpl is now aware of SessionIdChangedEvent

This commit is contained in:
Venkata Jaswanth 2018-06-14 01:36:07 +10:00 committed by Eleftheria Stein
parent ae532c080c
commit 5fc6414377
7 changed files with 164 additions and 5 deletions

View File

@ -0,0 +1,29 @@
/*
* Copyright 2002-2016 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.core.session;
import org.springframework.context.ApplicationEvent;
public abstract class SessionIdChangedEvent extends ApplicationEvent {
public SessionIdChangedEvent(Object source) {
super(source);
}
public abstract String getOldSessionId();
public abstract String getNewSessionId();
}

View File

@ -18,6 +18,7 @@ package org.springframework.security.core.session;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.context.ApplicationEvent;
import org.springframework.context.ApplicationListener;
import org.springframework.util.Assert;
@ -40,7 +41,7 @@ import java.util.concurrent.CopyOnWriteArraySet;
* @author Luke Taylor
*/
public class SessionRegistryImpl implements SessionRegistry,
ApplicationListener<SessionDestroyedEvent> {
ApplicationListener<ApplicationEvent> {
// ~ Instance fields
// ================================================================================================
@ -101,9 +102,18 @@ public class SessionRegistryImpl implements SessionRegistry,
return sessionIds.get(sessionId);
}
public void onApplicationEvent(SessionDestroyedEvent event) {
String sessionId = event.getId();
public void onApplicationEvent(ApplicationEvent event) {
if (event instanceof SessionDestroyedEvent) {
SessionDestroyedEvent sessionDestroyedEvent = (SessionDestroyedEvent) event;
String sessionId = sessionDestroyedEvent.getId();
removeSessionInformation(sessionId);
} else if (event instanceof SessionIdChangedEvent) {
SessionIdChangedEvent sessionIdChangedEvent = (SessionIdChangedEvent) event;
String oldSessionId = sessionIdChangedEvent.getOldSessionId();
Object principal = sessionIds.get(oldSessionId).getPrincipal();
removeSessionInformation(oldSessionId);
registerNewSession(sessionIdChangedEvent.getNewSessionId(), principal);
}
}
public void refreshLastRequest(String sessionId) {

View File

@ -69,6 +69,33 @@ public class SessionRegistryImplTests {
assertThat(sessionRegistry.getSessionInformation(sessionId)).isNull();
}
@Test
public void sessionIdChangedEventRemovesOldSessionAndAddsANewSession() {
Object principal = "Some principal object";
final String sessionId = "zzzz";
final String newSessionId = "123";
// Register new Session
sessionRegistry.registerNewSession(sessionId, principal);
// De-register session via an ApplicationEvent
sessionRegistry.onApplicationEvent(new SessionIdChangedEvent("") {
@Override
public String getOldSessionId() {
return sessionId;
}
@Override
public String getNewSessionId() {
return newSessionId;
}
});
assertThat(sessionRegistry.getSessionInformation(sessionId)).isNull();
assertThat(sessionRegistry.getSessionInformation(newSessionId)).isNotNull();
assertThat(sessionRegistry.getSessionInformation(newSessionId).getPrincipal()).isEqualTo(principal);
}
@Test
public void testMultiplePrincipals() {
Object principal1 = "principal_1";

View File

@ -25,6 +25,7 @@ import org.springframework.security.web.context.support.SecurityWebApplicationCo
import javax.servlet.ServletContext;
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionIdListener;
import javax.servlet.http.HttpSessionListener;
/**
@ -44,7 +45,7 @@ import javax.servlet.http.HttpSessionListener;
*
* @author Ray Krueger
*/
public class HttpSessionEventPublisher implements HttpSessionListener {
public class HttpSessionEventPublisher implements HttpSessionListener, HttpSessionIdListener {
// ~ Static fields/initializers
// =====================================================================================
@ -90,4 +91,16 @@ public class HttpSessionEventPublisher implements HttpSessionListener {
getContext(event.getSession().getServletContext()).publishEvent(e);
}
@Override
public void sessionIdChanged(HttpSessionEvent event, String oldSessionId) {
HttpSessionIdChangedEvent e = new HttpSessionIdChangedEvent(event.getSession(), oldSessionId);
Log log = LogFactory.getLog(LOGGER_NAME);
if (log.isDebugEnabled()) {
log.debug("Publishing event: " + e);
}
getContext(event.getSession().getServletContext()).publishEvent(e);
}
}

View File

@ -0,0 +1,48 @@
/*
* Copyright 2004, 2005, 2006 Acegi Technology Pty Limited
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.web.session;
import javax.servlet.http.HttpSession;
import org.springframework.security.core.session.SessionIdChangedEvent;
/**
* Published by the {@link HttpSessionEventPublisher} when an {@code HttpSession} id
* is changed
*
*/
public class HttpSessionIdChangedEvent extends SessionIdChangedEvent {
private final String oldSessionId;
private final String newSessionid;
// ~ Constructors
// ===================================================================================================
public HttpSessionIdChangedEvent(HttpSession session, String oldSessionId) {
super(session);
this.oldSessionId = oldSessionId;
this.newSessionid = session.getId();
}
public String getOldSessionId() {
return oldSessionId;
}
@Override
public String getNewSessionId() {
return newSessionid;
}
}

View File

@ -72,6 +72,11 @@ public class HttpSessionEventPublisherTests {
assertThat(listener.getDestroyedEvent()).isNotNull();
assertThat(listener.getCreatedEvent()).isNull();
assertThat(listener.getDestroyedEvent().getSession()).isEqualTo(session);
publisher.sessionIdChanged(event, "oldSessionId");
assertThat(listener.getSessionIdChangedEvent()).isNotNull();
assertThat(listener.getSessionIdChangedEvent().getOldSessionId()).isEqualTo("oldSessionId");
listener.setSessionIdChangedEvent(null);
}
@Test
@ -108,6 +113,11 @@ public class HttpSessionEventPublisherTests {
assertThat(listener.getDestroyedEvent()).isNotNull();
assertThat(listener.getCreatedEvent()).isNull();
assertThat(listener.getDestroyedEvent().getSession()).isEqualTo(session);
publisher.sessionIdChanged(event, "oldSessionId");
assertThat(listener.getSessionIdChangedEvent()).isNotNull();
assertThat(listener.getSessionIdChangedEvent().getOldSessionId()).isEqualTo("oldSessionId");
listener.setSessionIdChangedEvent(null);
}
// SEC-2599
@ -131,4 +141,14 @@ public class HttpSessionEventPublisherTests {
publisher.sessionDestroyed(event);
}
@Test(expected = IllegalStateException.class)
public void sessionIdChangeNullApplicationContext() {
HttpSessionEventPublisher publisher = new HttpSessionEventPublisher();
MockServletContext servletContext = new MockServletContext();
MockHttpSession session = new MockHttpSession(servletContext);
HttpSessionEvent event = new HttpSessionEvent(session);
publisher.sessionIdChanged(event, "oldSessionId");
}
}

View File

@ -32,6 +32,7 @@ public class MockApplicationListener implements ApplicationListener<ApplicationE
private HttpSessionCreatedEvent createdEvent;
private HttpSessionDestroyedEvent destroyedEvent;
private HttpSessionIdChangedEvent sessionIdChangedEvent;
// ~ Methods
// ========================================================================================================
@ -51,6 +52,9 @@ public class MockApplicationListener implements ApplicationListener<ApplicationE
else if (event instanceof HttpSessionDestroyedEvent) {
destroyedEvent = (HttpSessionDestroyedEvent) event;
}
else if (event instanceof HttpSessionIdChangedEvent) {
sessionIdChangedEvent = (HttpSessionIdChangedEvent) event;
}
}
public void setCreatedEvent(HttpSessionCreatedEvent createdEvent) {
@ -60,4 +64,12 @@ public class MockApplicationListener implements ApplicationListener<ApplicationE
public void setDestroyedEvent(HttpSessionDestroyedEvent destroyedEvent) {
this.destroyedEvent = destroyedEvent;
}
public void setSessionIdChangedEvent(HttpSessionIdChangedEvent sessionIdChangedEvent) {
this.sessionIdChangedEvent = sessionIdChangedEvent;
}
public HttpSessionIdChangedEvent getSessionIdChangedEvent() {
return sessionIdChangedEvent;
}
}