Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-07-08 03:32:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Do Not Invalidate Current Session When It Is Registered

Browse Source 
Closes gh-15066
This commit is contained in:
Joaquin Santana 2024-05-13 17:09:34 +02:00 committed by Marcus Hert Da Coregio
parent e321e5de7c
commit 927840fe88
2 changed files with 44 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
web/src/main/java/org/springframework/security/web/server/authentication/InvalidateLeastUsedServerMaximumSessionsExceededHandler.java
View File

@ -24,6 +24,7 @@ import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono; import reactor.core.publisher.Mono;
import org.springframework.security.core.session.ReactiveSessionInformation; import org.springframework.security.core.session.ReactiveSessionInformation;
import org.springframework.util.Assert;
import org.springframework.web.server.session.WebSessionStore; import org.springframework.web.server.session.WebSessionStore;
/** /**
@ -42,12 +43,14 @@ public final class InvalidateLeastUsedServerMaximumSessionsExceededHandler
private final WebSessionStore webSessionStore; private final WebSessionStore webSessionStore;
public InvalidateLeastUsedServerMaximumSessionsExceededHandler(WebSessionStore webSessionStore) { public InvalidateLeastUsedServerMaximumSessionsExceededHandler(WebSessionStore webSessionStore) {
Assert.notNull(webSessionStore, "webSessionStore cannot be null");
this.webSessionStore = webSessionStore; this.webSessionStore = webSessionStore;
} }
@Override @Override
public Mono<Void> handle(MaximumSessionsContext context) { public Mono<Void> handle(MaximumSessionsContext context) {
List<ReactiveSessionInformation> sessions = new ArrayList<>(context.getSessions()); List<ReactiveSessionInformation> sessions = new ArrayList<>(context.getSessions());
sessions.removeIf((session) -> session.getSessionId().equals(context.getCurrentSession().getId()));
sessions.sort(Comparator.comparing(ReactiveSessionInformation::getLastAccessTime)); sessions.sort(Comparator.comparing(ReactiveSessionInformation::getLastAccessTime));
int maximumSessionsExceededBy = sessions.size() - context.getMaximumSessionsAllowed() + 1; int maximumSessionsExceededBy = sessions.size() - context.getMaximumSessionsAllowed() + 1;
List<ReactiveSessionInformation> leastRecentlyUsedSessionsToInvalidate = sessions.subList(0, List<ReactiveSessionInformation> leastRecentlyUsedSessionsToInvalidate = sessions.subList(0,

46
web/src/test/java/org/springframework/security/web/server/authentication/session/InvalidateLeastUsedServerMaximumSessionsExceededHandlerTests.java
View File

@ -23,6 +23,7 @@ import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test; import org.junit.jupiter.api.Test;
import reactor.core.publisher.Mono; import reactor.core.publisher.Mono;
import org.springframework.mock.web.server.MockWebSession;
import org.springframework.security.core.Authentication; import org.springframework.security.core.Authentication;
import org.springframework.security.core.session.ReactiveSessionInformation; import org.springframework.security.core.session.ReactiveSessionInformation;
import org.springframework.security.web.server.authentication.InvalidateLeastUsedServerMaximumSessionsExceededHandler; import org.springframework.security.web.server.authentication.InvalidateLeastUsedServerMaximumSessionsExceededHandler;
@ -34,6 +35,7 @@ import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.atLeastOnce; import static org.mockito.Mockito.atLeastOnce;
import static org.mockito.Mockito.mock; import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.spy; import static org.mockito.Mockito.spy;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions; import static org.mockito.Mockito.verifyNoMoreInteractions;
@ -59,18 +61,21 @@ class InvalidateLeastUsedServerMaximumSessionsExceededHandlerTests {
ReactiveSessionInformation session2 = mock(ReactiveSessionInformation.class); ReactiveSessionInformation session2 = mock(ReactiveSessionInformation.class);
given(session1.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760010L)); given(session1.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760010L));
given(session2.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760000L)); given(session2.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760000L));
given(session1.getSessionId()).willReturn("session1");
given(session2.getSessionId()).willReturn("session2"); given(session2.getSessionId()).willReturn("session2");
given(session2.invalidate()).willReturn(Mono.empty()); given(session2.invalidate()).willReturn(Mono.empty());
MaximumSessionsContext context = new MaximumSessionsContext(mock(Authentication.class), MaximumSessionsContext context = new MaximumSessionsContext(mock(Authentication.class),
List.of(session1, session2), 2, null); List.of(session1, session2), 2, createWebSession());
this.handler.handle(context).block(); this.handler.handle(context).block();
verify(session2).invalidate(); verify(session2).invalidate();
verify(session1).getLastAccessTime(); // used by comparator to sort the sessions verify(session1).getLastAccessTime(); // used by comparator to sort the sessions
verify(session2).getLastAccessTime(); // used by comparator to sort the sessions verify(session2).getLastAccessTime(); // used by comparator to sort the sessions
verify(session2).getSessionId(); // used to invalidate session against the verify(session1).getSessionId();
verify(session2, times(2)).getSessionId(); // used to invalidate session against
// the
// WebSessionStore // WebSessionStore
verify(this.webSessionStore).removeSession("session2"); verify(this.webSessionStore).removeSession("session2");
verifyNoMoreInteractions(this.webSessionStore); verifyNoMoreInteractions(this.webSessionStore);
@ -90,16 +95,18 @@ class InvalidateLeastUsedServerMaximumSessionsExceededHandlerTests {
given(session2.invalidate()).willReturn(Mono.empty()); given(session2.invalidate()).willReturn(Mono.empty());
given(session1.getSessionId()).willReturn("session1"); given(session1.getSessionId()).willReturn("session1");
given(session2.getSessionId()).willReturn("session2"); given(session2.getSessionId()).willReturn("session2");
given(session3.getSessionId()).willReturn("session3");
MaximumSessionsContext context = new MaximumSessionsContext(mock(Authentication.class), MaximumSessionsContext context = new MaximumSessionsContext(mock(Authentication.class),
List.of(session1, session2, session3), 2, null); List.of(session1, session2, session3), 2, createWebSession());
this.handler.handle(context).block(); this.handler.handle(context).block();
// @formatter:off // @formatter:off
verify(session1).invalidate(); verify(session1).invalidate();
verify(session2).invalidate(); verify(session2).invalidate();
verify(session1).getSessionId(); verify(session1, times(2)).getSessionId();
verify(session2).getSessionId(); verify(session2, times(2)).getSessionId();
verify(session3).getSessionId();
verify(session1, atLeastOnce()).getLastAccessTime(); // used by comparator to sort the sessions verify(session1, atLeastOnce()).getLastAccessTime(); // used by comparator to sort the sessions
verify(session2, atLeastOnce()).getLastAccessTime(); // used by comparator to sort the sessions verify(session2, atLeastOnce()).getLastAccessTime(); // used by comparator to sort the sessions
verify(session3, atLeastOnce()).getLastAccessTime(); // used by comparator to sort the sessions verify(session3, atLeastOnce()).getLastAccessTime(); // used by comparator to sort the sessions
@ -112,4 +119,33 @@ class InvalidateLeastUsedServerMaximumSessionsExceededHandlerTests {
// @formatter:on // @formatter:on
} }
@Test
void handleWhenCurrentSessionIsRegisteredThenDoNotInvalidateCurrentSession() {
ReactiveSessionInformation session1 = mock(ReactiveSessionInformation.class);
ReactiveSessionInformation session2 = mock(ReactiveSessionInformation.class);
MockWebSession currentSession = createWebSession();
given(session1.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760010L));
given(session2.getLastAccessTime()).willReturn(Instant.ofEpochMilli(1700827760000L));
given(session1.getSessionId()).willReturn("session1");
given(session2.getSessionId()).willReturn(currentSession.getId());
given(session1.invalidate()).willReturn(Mono.empty());
MaximumSessionsContext context = new MaximumSessionsContext(mock(Authentication.class),
List.of(session1, session2), 1, currentSession);
this.handler.handle(context).block();
verify(session1).invalidate();
verify(session2).getSessionId();
verify(session1, times(2)).getSessionId();
verify(this.webSessionStore).removeSession("session1");
verifyNoMoreInteractions(this.webSessionStore);
verifyNoMoreInteractions(session2);
verifyNoMoreInteractions(session1);
}
private MockWebSession createWebSession() {
return new MockWebSession();
}
} }