Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove includeExpiredSessions parameter 

The reactive implementation of max sessions does not keep track of expired sessions, therefore we do not need such parameter

Issue gh-6192
This commit is contained in:
Marcus Hert Da Coregio 2024-02-06 10:34:37 -03:00
parent 6068e6be5e
commit 915d68e216
8 changed files with 27 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
config/src/test/java/org/springframework/security/config/web/server/SessionManagementSpecTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -334,7 +334,7 @@ public class SessionManagementSpecTests {
.expectStatus() .expectStatus()
.isOk(); .isOk();
ReactiveSessionRegistry sessionRegistry = this.spring.getContext().getBean(ReactiveSessionRegistry.class); ReactiveSessionRegistry sessionRegistry = this.spring.getContext().getBean(ReactiveSessionRegistry.class);
sessionRegistry.getAllSessions(PasswordEncodedUser.user(), false) sessionRegistry.getAllSessions(PasswordEncodedUser.user())
.flatMap(ReactiveSessionInformation::invalidate) .flatMap(ReactiveSessionInformation::invalidate)
.blockLast(); .blockLast();
this.client.get() this.client.get()

7
core/src/main/java/org/springframework/security/core/session/InMemoryReactiveSessionRegistry.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -50,10 +50,9 @@ public class InMemoryReactiveSessionRegistry implements ReactiveSessionRegistry
} }
@Override @Override
public Flux<ReactiveSessionInformation> getAllSessions(Object principal, boolean includeExpiredSessions) { public Flux<ReactiveSessionInformation> getAllSessions(Object principal) {
return Flux.fromIterable(this.sessionIdsByPrincipal.getOrDefault(principal, Collections.emptySet())) return Flux.fromIterable(this.sessionIdsByPrincipal.getOrDefault(principal, Collections.emptySet()))
.map(this.sessionById::get) .map(this.sessionById::get);
.filter((sessionInformation) -> includeExpiredSessions || !sessionInformation.isExpired());
} }
@Override @Override

4
core/src/main/java/org/springframework/security/core/session/ReactiveSessionRegistry.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -34,7 +34,7 @@ public interface ReactiveSessionRegistry {
* @return the {@link ReactiveSessionInformation} instances associated with the * @return the {@link ReactiveSessionInformation} instances associated with the
* principal * principal
*/ */
Flux<ReactiveSessionInformation> getAllSessions(Object principal, boolean includeExpiredSessions); Flux<ReactiveSessionInformation> getAllSessions(Object principal);
/** /**
* Saves the {@link ReactiveSessionInformation} * Saves the {@link ReactiveSessionInformation}

4
web/src/main/java/org/springframework/security/web/server/authentication/ConcurrentSessionControlServerAuthenticationSuccessHandler.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -62,7 +62,7 @@ public final class ConcurrentSessionControlServerAuthenticationSuccessHandler
private Mono<Void> handleConcurrency(WebFilterExchange exchange, Authentication authentication, private Mono<Void> handleConcurrency(WebFilterExchange exchange, Authentication authentication,
Integer maximumSessions) { Integer maximumSessions) {
return this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false) return this.sessionRegistry.getAllSessions(authentication.getPrincipal())
.collectList() .collectList()
.flatMap((registeredSessions) -> exchange.getExchange() .flatMap((registeredSessions) -> exchange.getExchange()
.getSession() .getSession()

6
web/src/main/java/org/springframework/security/web/session/WebSessionStoreReactiveSessionRegistry.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -46,8 +46,8 @@ public final class WebSessionStoreReactiveSessionRegistry implements ReactiveSes
} }
@Override @Override
public Flux<ReactiveSessionInformation> getAllSessions(Object principal, boolean includeExpiredSessions) { public Flux<ReactiveSessionInformation> getAllSessions(Object principal) {
return this.sessionRegistry.getAllSessions(principal, includeExpiredSessions).map(WebSessionInformation::new); return this.sessionRegistry.getAllSessions(principal).map(WebSessionInformation::new);
} }
@Override @Override

12
web/src/test/java/org/springframework/security/web/server/authentication/session/ConcurrentSessionControlServerAuthenticationSuccessHandlerTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -111,7 +111,7 @@ class ConcurrentSessionControlServerAuthenticationSuccessHandlerTests {
Authentication authentication = TestAuthentication.authenticatedUser(); Authentication authentication = TestAuthentication.authenticatedUser();
List<ReactiveSessionInformation> sessions = Arrays.asList(createSessionInformation("100"), List<ReactiveSessionInformation> sessions = Arrays.asList(createSessionInformation("100"),
createSessionInformation("101")); createSessionInformation("101"));
given(this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false)) given(this.sessionRegistry.getAllSessions(authentication.getPrincipal()))
.willReturn(Flux.fromIterable(sessions)); .willReturn(Flux.fromIterable(sessions));
this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), authentication).block(); this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), authentication).block();
verify(this.handler).handle(this.contextCaptor.capture()); verify(this.handler).handle(this.contextCaptor.capture());
@ -127,7 +127,7 @@ class ConcurrentSessionControlServerAuthenticationSuccessHandlerTests {
List<ReactiveSessionInformation> sessions = Arrays.asList(createSessionInformation("100"), List<ReactiveSessionInformation> sessions = Arrays.asList(createSessionInformation("100"),
createSessionInformation("101"), createSessionInformation("102"), createSessionInformation("103"), createSessionInformation("101"), createSessionInformation("102"), createSessionInformation("103"),
createSessionInformation("104")); createSessionInformation("104"));
given(this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false)) given(this.sessionRegistry.getAllSessions(authentication.getPrincipal()))
.willReturn(Flux.fromIterable(sessions)); .willReturn(Flux.fromIterable(sessions));
this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), authentication).block(); this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), authentication).block();
verify(this.handler).handle(this.contextCaptor.capture()); verify(this.handler).handle(this.contextCaptor.capture());
@ -151,10 +151,8 @@ class ConcurrentSessionControlServerAuthenticationSuccessHandlerTests {
List<ReactiveSessionInformation> adminSessions = Arrays.asList(createSessionInformation("200"), List<ReactiveSessionInformation> adminSessions = Arrays.asList(createSessionInformation("200"),
createSessionInformation("201")); createSessionInformation("201"));
given(this.sessionRegistry.getAllSessions(user.getPrincipal(), false)) given(this.sessionRegistry.getAllSessions(user.getPrincipal())).willReturn(Flux.fromIterable(userSessions));
.willReturn(Flux.fromIterable(userSessions)); given(this.sessionRegistry.getAllSessions(admin.getPrincipal())).willReturn(Flux.fromIterable(adminSessions));
given(this.sessionRegistry.getAllSessions(admin.getPrincipal(), false))
.willReturn(Flux.fromIterable(adminSessions));
this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), user).block(); this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), user).block();
this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), admin).block(); this.strategy.onAuthenticationSuccess(new WebFilterExchange(this.exchange, this.chain), admin).block();

9
web/src/test/java/org/springframework/security/web/server/authentication/session/InMemoryReactiveSessionRegistryTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -46,7 +46,7 @@ class InMemoryReactiveSessionRegistryTests {
"1234", this.now); "1234", this.now);
this.sessionRegistry.saveSessionInformation(sessionInformation).block(); this.sessionRegistry.saveSessionInformation(sessionInformation).block();
List<ReactiveSessionInformation> principalSessions = this.sessionRegistry List<ReactiveSessionInformation> principalSessions = this.sessionRegistry
.getAllSessions(authentication.getPrincipal(), false) .getAllSessions(authentication.getPrincipal())
.collectList() .collectList()
.block(); .block();
assertThat(principalSessions).hasSize(1); assertThat(principalSessions).hasSize(1);
@ -65,8 +65,7 @@ class InMemoryReactiveSessionRegistryTests {
this.sessionRegistry.saveSessionInformation(sessionInformation1).block(); this.sessionRegistry.saveSessionInformation(sessionInformation1).block();
this.sessionRegistry.saveSessionInformation(sessionInformation2).block(); this.sessionRegistry.saveSessionInformation(sessionInformation2).block();
this.sessionRegistry.saveSessionInformation(sessionInformation3).block(); this.sessionRegistry.saveSessionInformation(sessionInformation3).block();
List<ReactiveSessionInformation> sessions = this.sessionRegistry List<ReactiveSessionInformation> sessions = this.sessionRegistry.getAllSessions(authentication.getPrincipal())
.getAllSessions(authentication.getPrincipal(), false)
.collectList() .collectList()
.block(); .block();
assertThat(sessions).hasSize(3); assertThat(sessions).hasSize(3);
@ -82,7 +81,7 @@ class InMemoryReactiveSessionRegistryTests {
"1234", this.now); "1234", this.now);
this.sessionRegistry.saveSessionInformation(sessionInformation).block(); this.sessionRegistry.saveSessionInformation(sessionInformation).block();
this.sessionRegistry.removeSessionInformation("1234").block(); this.sessionRegistry.removeSessionInformation("1234").block();
List<ReactiveSessionInformation> sessions = this.sessionRegistry.getAllSessions(authentication.getName(), false) List<ReactiveSessionInformation> sessions = this.sessionRegistry.getAllSessions(authentication.getName())
.collectList() .collectList()
.block(); .block();
assertThat(this.sessionRegistry.getSessionInformation("1234").block()).isNull(); assertThat(this.sessionRegistry.getSessionInformation("1234").block()).isNull();

14
web/src/test/java/org/springframework/security/web/session/WebSessionStoreReactiveSessionRegistryTests.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2023 the original author or authors. * Copyright 2002-2024 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -31,8 +31,6 @@ import org.springframework.web.server.session.WebSessionStore;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException; import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyBoolean;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.BDDMockito.given; import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
@ -101,12 +99,12 @@ class WebSessionStoreReactiveSessionRegistryTests {
given(this.webSessionStore.retrieveSession(session.getSessionId())).willReturn(Mono.just(webSession)); given(this.webSessionStore.retrieveSession(session.getSessionId())).willReturn(Mono.just(webSession));
this.registry.saveSessionInformation(session).block(); this.registry.saveSessionInformation(session).block();
List<ReactiveSessionInformation> saved = this.registry.getAllSessions(session.getPrincipal(), false) List<ReactiveSessionInformation> saved = this.registry.getAllSessions(session.getPrincipal())
.collectList() .collectList()
.block(); .block();
saved.forEach((info) -> info.invalidate().block()); saved.forEach((info) -> info.invalidate().block());
verify(webSession).invalidate(); verify(webSession).invalidate();
assertThat(this.registry.getAllSessions(session.getPrincipal(), false).collectList().block()).isEmpty(); assertThat(this.registry.getAllSessions(session.getPrincipal()).collectList().block()).isEmpty();
} }
@Test @Test
@ -116,7 +114,7 @@ class WebSessionStoreReactiveSessionRegistryTests {
given(sessionRegistry.removeSessionInformation(any())).willReturn(Mono.empty()); given(sessionRegistry.removeSessionInformation(any())).willReturn(Mono.empty());
given(sessionRegistry.updateLastAccessTime(any())).willReturn(Mono.empty()); given(sessionRegistry.updateLastAccessTime(any())).willReturn(Mono.empty());
given(sessionRegistry.getSessionInformation(any())).willReturn(Mono.empty()); given(sessionRegistry.getSessionInformation(any())).willReturn(Mono.empty());
given(sessionRegistry.getAllSessions(any(), anyBoolean())).willReturn(Flux.empty()); given(sessionRegistry.getAllSessions(any())).willReturn(Flux.empty());
this.registry.setSessionRegistry(sessionRegistry); this.registry.setSessionRegistry(sessionRegistry);
ReactiveSessionInformation session = createSession(); ReactiveSessionInformation session = createSession();
this.registry.saveSessionInformation(session).block(); this.registry.saveSessionInformation(session).block();
@ -127,8 +125,8 @@ class WebSessionStoreReactiveSessionRegistryTests {
verify(sessionRegistry).updateLastAccessTime(any()); verify(sessionRegistry).updateLastAccessTime(any());
this.registry.getSessionInformation(session.getSessionId()).block(); this.registry.getSessionInformation(session.getSessionId()).block();
verify(sessionRegistry).getSessionInformation(any()); verify(sessionRegistry).getSessionInformation(any());
this.registry.getAllSessions(session.getPrincipal(), false).blockFirst(); this.registry.getAllSessions(session.getPrincipal()).blockFirst();
verify(sessionRegistry).getAllSessions(any(), eq(false)); verify(sessionRegistry).getAllSessions(any());
} }
private static ReactiveSessionInformation createSession() { private static ReactiveSessionInformation createSession() {