Updated integration tests to detect case reported as SPR-7563.

itest/web/src/main/webapp/WEB-INF/http-security-concurrency.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<beans:beans xmlns="http://www.springframework.org/schema/security"
+    xmlns:beans="http://www.springframework.org/schema/beans"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
+
+    <debug />
+
+    <!--
+       Http App Context to test form login, remember-me and concurrent session control.
+       Needs to be supplemented with authentication provider(s)
+    -->
+    <http pattern="/login.jsp" security="none" />
+
+    <http use-expressions="true">
+        <intercept-url pattern="/secure/**" access="hasAnyRole('ROLE_DEVELOPER','ROLE_USER')" />
+        <intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER','ROLE_USER')" />
+
+        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=true"/>
+        <http-basic/>
+
+        <!-- Default logout configuration -->
+        <logout logout-url="/logout"/>
+
+        <session-management>
+            <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
+        </session-management>
+    </http>
+
+</beans:beans>

itest/web/src/main/webapp/WEB-INF/http-security-custom-concurrency.xml

@@ -12,6 +12,7 @@
         <intercept-url pattern="/**" access="ROLE_DEVELOPER,ROLE_USER" />
 
         <session-management session-authentication-strategy-ref="sas"/>
+        <logout />
 
         <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
         <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />

itest/web/src/main/webapp/login.jsp

@@ -1,5 +1,3 @@
-<!-- %@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" % -->
-
 <!-- Not used unless you declare a <form-login login-page="/login.jsp"/> element -->
 
 <html>
@@ -13,9 +11,7 @@
 <%
   if (request.getParameter("login_error") != null) {
 %>
-      <font color="red">
+Your login attempt was not successful, try again. ${SPRING_SECURITY_LAST_EXCEPTION.message}<br/><br/>
-        Your login attempt was not successful, try again.<br/><br/>
-      </font>
 <%
   }
 %>

itest/web/src/test/java/org/springframework/security/integration/AbstractWebServerIntegrationTests.java

@@ -108,7 +108,7 @@ public abstract class AbstractWebServerIntegrationTests {
         return getAppContext().getBean(beanName);
     }
 
-    private WebApplicationContext getAppContext() {
+    protected final WebApplicationContext getAppContext() {
         ServletContext servletCtx = ((WebAppContext)server.getHandler()).getServletContext();
         WebApplicationContext appCtx =
                 WebApplicationContextUtils.getRequiredWebApplicationContext(servletCtx);

itest/web/src/test/java/org/springframework/security/integration/ConcurrentSessionManagementTests.java

@@ -0,0 +1,44 @@
+package org.springframework.security.integration;
+
+import net.sourceforge.jwebunit.junit.WebTester;
+import org.testng.annotations.Test;
+
+/**
+ * @author Luke Taylor
+ */
+public class ConcurrentSessionManagementTests extends AbstractWebServerIntegrationTests {
+
+    protected String getContextConfigLocations() {
+        return "/WEB-INF/http-security-concurrency.xml /WEB-INF/in-memory-provider.xml";
+    }
+
+    @Test
+    public void maxConcurrentLoginsValueIsRespected() throws Exception {
+        System.out.println("Client: ******* First login ******* ");
+        beginAt("secure/index.html");
+        login("jimi", "jimispassword");
+        // Login again
+        System.out.println("Client: ******* Second login ******* ");
+        WebTester tester2 = new WebTester();
+        tester2.getTestContext().setBaseUrl(getBaseUrl());
+        tester2.beginAt("secure/index.html");
+        // seems to be a bug in checking for form here (it fails)
+        //tester2.assertFormPresent();
+        tester2.setTextField("j_username", "jimi");
+        tester2.setTextField("j_password", "jimispassword");
+        // tester2.submit() also fails to detect the form
+        tester2.getTestingEngine().submit();
+        tester2.assertTextPresent("Maximum sessions of 1 for this principal exceeded");
+
+        // Now logout to kill first session
+        tester.gotoPage("/logout");
+
+
+        // Try second session again
+        tester2.setTextField("j_username", "jimi");
+        tester2.setTextField("j_password", "jimispassword");
+        // tester2.submit() also fails to detect the form
+        tester2.getTestingEngine().submit();
+        tester2.assertTextPresent("A Secure Page");
+    }
+}

itest/web/src/test/java/org/springframework/security/integration/CustomConcurrentSessionManagementTests.java

@@ -3,6 +3,7 @@ package org.springframework.security.integration;
 import net.sourceforge.jwebunit.junit.WebTester;
 
 import org.junit.Assert;
+import org.springframework.security.core.session.SessionRegistry;
 import org.testng.annotations.Test;
 
 /**
@@ -30,4 +31,23 @@ public class CustomConcurrentSessionManagementTests extends AbstractWebServerInt
         Assert.assertTrue(tester2.getServerResponse().contains("Maximum sessions of 1 for this principal exceeded"));
     }
 
+    @Test
+    public void logoutClearsSessionRegistryAndAllowsSecondLogin() throws Exception {
+        beginAt("secure/index.html");
+        login("bessie", "bessiespassword");
+        SessionRegistry reg = getAppContext().getBean(SessionRegistry.class);
+
+        tester.gotoPage("/j_spring_security_logout");
+
+        // Login again
+        System.out.println("Client: ******* Second login ******* ");
+        WebTester tester2 = new WebTester();
+        tester2.getTestContext().setBaseUrl(getBaseUrl());
+        tester2.beginAt("secure/index.html");
+        tester2.setTextField("j_username", "bessie");
+        tester2.setTextField("j_password", "bessiespassword");
+        tester2.setIgnoreFailingStatusCodes(true);
+        tester2.submit();
+        Assert.assertTrue(tester2.getServerResponse().contains("A secure page"));
+    }
 }

itest/web/src/test/java/org/springframework/security/integration/InMemoryProviderWebAppTests.java

@@ -72,26 +72,4 @@ public class InMemoryProviderWebAppTests extends AbstractWebServerIntegrationTes
         beginAt("secure/index.html");
         assertTextPresent("A Secure Page");
     }
-
-    @Test
-    public void maxConcurrentLoginsValueIsRespected() throws Exception {
-        System.out.println("Client: ******* First login ******* ");
-        beginAt("secure/index.html");
-        login("jimi", "jimispassword");
-        // Login again
-        System.out.println("Client: ******* Second login ******* ");
-        WebTester tester2 = new WebTester();
-        tester2.getTestContext().setBaseUrl(getBaseUrl());
-        tester2.beginAt("secure/index.html");
-        // seems to be a bug in checking for form here (it fails)
-        //tester2.assertFormPresent();
-        tester2.setTextField("j_username", "jimi");
-        tester2.setTextField("j_password", "jimispassword");
-        // tester2.submit() also fails to detect the form
-        tester2.getTestingEngine().submit();
-        // Try an use the original
-        System.out.println("Client: ******* Retry Original Session ******* ");
-        tester.gotoPage("secure/index.html");
-        tester.assertTextPresent("This session has been expired");
-    }
 }

web/src/main/java/org/springframework/security/web/authentication/logout/SecurityContextLogoutHandler.java

@@ -16,6 +16,8 @@
 package org.springframework.security.web.authentication.logout;
 
 
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.util.Assert;
@@ -27,12 +29,14 @@ import javax.servlet.http.HttpSession;
 /**
  * Performs a logout by modifying the {@link org.springframework.security.core.context.SecurityContextHolder}.
  * <p>
- * Will also invalidate the {@link HttpSession} if {@link #isInvalidateHttpSession()} is <code>true</code> and the
+ * Will also invalidate the {@link HttpSession} if {@link #isInvalidateHttpSession()} is {@code true} and the
- * session is not <code>null</code>.
+ * session is not {@code null}.
  *
  * @author Ben Alex
  */
 public class SecurityContextLogoutHandler implements LogoutHandler {
+    protected final Log logger = LogFactory.getLog(this.getClass());
+
     private boolean invalidateHttpSession = true;
 
     //~ Methods ========================================================================================================
@@ -49,6 +53,7 @@ public class SecurityContextLogoutHandler implements LogoutHandler {
         if (invalidateHttpSession) {
             HttpSession session = request.getSession(false);
             if (session != null) {
+                logger.debug("Invalidating session: " + session.getId());
                 session.invalidate();
             }
         }