diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java index ec0b185b38..b06a7e3c3f 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java @@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.web.configurers; import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.context.SecurityContextPersistenceFilter; @@ -86,7 +87,7 @@ public final class SecurityContextConfigurer> e SessionManagementConfigurer sessionManagement = http.getConfigurer(SessionManagementConfigurer.class); SessionCreationPolicy sessionCreationPolicy = sessionManagement == null ? null : sessionManagement.getSessionCreationPolicy(); - if (SessionCreationPolicy.always == sessionCreationPolicy) { + if (SessionCreationPolicy.ALWAYS == sessionCreationPolicy) { securityContextFilter.setForceEagerSessionCreation(true); } securityContextFilter = postProcess(securityContextFilter); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionCreationPolicy.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionCreationPolicy.java deleted file mode 100644 index 6fe03e1ce1..0000000000 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionCreationPolicy.java +++ /dev/null @@ -1,39 +0,0 @@ -/* - * Copyright 2002-2013 the original author or authors. - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.springframework.security.config.annotation.web.configurers; - -import javax.servlet.http.HttpSession; - -import org.springframework.security.core.context.SecurityContext; - -/** - * Specifies the various session creation policies for Spring Security. - * - * FIXME this should be removed once {@link org.springframework.security.config.http.SessionCreationPolicy} is made public. - * - * @author Rob Winch - * @since 3.2 - */ -public enum SessionCreationPolicy { - /** Always create an {@link HttpSession} */ - always, - /** Spring Security will never create an {@link HttpSession}, but will use the {@link HttpSession} if it already exists */ - never, - /** Spring Security will only create an {@link HttpSession} if required */ - ifRequired, - /** Spring Security will never create an {@link HttpSession} and it will never use it to obtain the {@link SecurityContext} */ - stateless -} \ No newline at end of file diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java index f95f20c793..f5f6955560 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java @@ -19,6 +19,7 @@ import javax.servlet.http.HttpServletResponse; import org.springframework.security.config.annotation.web.HttpSecurityBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.core.session.SessionRegistryImpl; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; @@ -74,7 +75,7 @@ public final class SessionManagementConfigurer> private Integer maximumSessions; private String expiredUrl; private boolean maxSessionsPreventsLogin; - private SessionCreationPolicy sessionPolicy = SessionCreationPolicy.ifRequired; + private SessionCreationPolicy sessionPolicy = SessionCreationPolicy.IF_REQUIRED; private boolean enableSessionUrlRewriting; private String invalidSessionUrl; private String sessionAuthenticationErrorUrl; @@ -289,7 +290,7 @@ public final class SessionManagementConfigurer> * @return true if the {@link SessionCreationPolicy} allows session creation */ private boolean isAllowSessionCreation() { - return SessionCreationPolicy.always == sessionPolicy || SessionCreationPolicy.ifRequired == sessionPolicy; + return SessionCreationPolicy.ALWAYS == sessionPolicy || SessionCreationPolicy.IF_REQUIRED == sessionPolicy; } /** @@ -297,7 +298,7 @@ public final class SessionManagementConfigurer> * @return */ private boolean isStateless() { - return SessionCreationPolicy.stateless == sessionPolicy; + return SessionCreationPolicy.STATELESS == sessionPolicy; } /** diff --git a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java index 439020d63a..4bcf8369ae 100644 --- a/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java +++ b/config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java @@ -132,8 +132,8 @@ final class AuthenticationConfigBuilder { this.pc = pc; this.requestCache = requestCache; autoConfig = "true".equals(element.getAttribute(ATT_AUTO_CONFIG)); - this.allowSessionCreation = sessionPolicy != SessionCreationPolicy.never - && sessionPolicy != SessionCreationPolicy.stateless; + this.allowSessionCreation = sessionPolicy != SessionCreationPolicy.NEVER + && sessionPolicy != SessionCreationPolicy.STATELESS; this.portMapper = portMapper; this.portResolver = portResolver; diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java index 14930b3a75..def9f38b57 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java @@ -139,9 +139,9 @@ class HttpConfigurationBuilder { String createSession = element.getAttribute(ATT_CREATE_SESSION); if (StringUtils.hasText(createSession)) { - sessionPolicy = SessionCreationPolicy.valueOf(createSession); + sessionPolicy = createPolicy(createSession); } else { - sessionPolicy = SessionCreationPolicy.ifRequired; + sessionPolicy = SessionCreationPolicy.IF_REQUIRED; } createSecurityContextPersistenceFilter(); @@ -155,6 +155,20 @@ class HttpConfigurationBuilder { createAddHeadersFilter(); } + private SessionCreationPolicy createPolicy(String createSession) { + if("ifRequired".equals(createSession)) { + return SessionCreationPolicy.IF_REQUIRED; + } else if("always".equals(createSession)) { + return SessionCreationPolicy.ALWAYS; + } else if("never".equals(createSession)) { + return SessionCreationPolicy.NEVER; + } else if("stateless".equals(createSession)) { + return SessionCreationPolicy.STATELESS; + } + + throw new IllegalStateException("Cannot convert " + createSession + " to " + SessionCreationPolicy.class.getName()); + } + @SuppressWarnings("rawtypes") void setLogoutHandlers(ManagedList logoutHandlers) { if(logoutHandlers != null) { @@ -185,21 +199,21 @@ class HttpConfigurationBuilder { String disableUrlRewriting = httpElt.getAttribute(ATT_DISABLE_URL_REWRITING); if (StringUtils.hasText(repoRef)) { - if (sessionPolicy == SessionCreationPolicy.always) { + if (sessionPolicy == SessionCreationPolicy.ALWAYS) { scpf.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE); } } else { BeanDefinitionBuilder contextRepo; - if (sessionPolicy == SessionCreationPolicy.stateless) { + if (sessionPolicy == SessionCreationPolicy.STATELESS) { contextRepo = BeanDefinitionBuilder.rootBeanDefinition(NullSecurityContextRepository.class); } else { contextRepo = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class); switch (sessionPolicy) { - case always: + case ALWAYS: contextRepo.addPropertyValue("allowSessionCreation", Boolean.TRUE); scpf.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE); break; - case never: + case NEVER: contextRepo.addPropertyValue("allowSessionCreation", Boolean.FALSE); scpf.addPropertyValue("forceEagerSessionCreation", Boolean.FALSE); break; @@ -234,9 +248,9 @@ class HttpConfigurationBuilder { String errorUrl = null; if (sessionMgmtElt != null) { - if (sessionPolicy == SessionCreationPolicy.stateless) { + if (sessionPolicy == SessionCreationPolicy.STATELESS) { pc.getReaderContext().error(Elements.SESSION_MANAGEMENT + " cannot be used" + - " in combination with " + ATT_CREATE_SESSION + "='"+ SessionCreationPolicy.stateless +"'", + " in combination with " + ATT_CREATE_SESSION + "='"+ SessionCreationPolicy.STATELESS +"'", pc.extractSource(sessionMgmtElt)); } sessionFixationAttribute = sessionMgmtElt.getAttribute(ATT_SESSION_FIXATION_PROTECTION); @@ -261,7 +275,7 @@ class HttpConfigurationBuilder { " in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionMgmtElt)); } - if (sessionPolicy == SessionCreationPolicy.stateless) { + if (sessionPolicy == SessionCreationPolicy.STATELESS) { // SEC-1424: do nothing return; } @@ -482,11 +496,11 @@ class HttpConfigurationBuilder { } else { BeanDefinitionBuilder requestCacheBldr; - if (sessionPolicy == SessionCreationPolicy.stateless) { + if (sessionPolicy == SessionCreationPolicy.STATELESS) { requestCacheBldr = BeanDefinitionBuilder.rootBeanDefinition(NullRequestCache.class); } else { requestCacheBldr = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionRequestCache.class); - requestCacheBldr.addPropertyValue("createSessionAllowed", sessionPolicy == SessionCreationPolicy.ifRequired); + requestCacheBldr.addPropertyValue("createSessionAllowed", sessionPolicy == SessionCreationPolicy.IF_REQUIRED); requestCacheBldr.addPropertyValue("portResolver", portResolver); } @@ -607,7 +621,7 @@ class HttpConfigurationBuilder { filters.add(new OrderDecorator(fsi, FILTER_SECURITY_INTERCEPTOR)); - if (sessionPolicy != SessionCreationPolicy.stateless) { + if (sessionPolicy != SessionCreationPolicy.STATELESS) { filters.add(new OrderDecorator(requestCacheAwareFilter, REQUEST_CACHE_FILTER)); } diff --git a/config/src/main/java/org/springframework/security/config/http/SessionCreationPolicy.java b/config/src/main/java/org/springframework/security/config/http/SessionCreationPolicy.java index b14b78a060..2848bc8fef 100644 --- a/config/src/main/java/org/springframework/security/config/http/SessionCreationPolicy.java +++ b/config/src/main/java/org/springframework/security/config/http/SessionCreationPolicy.java @@ -1,13 +1,22 @@ package org.springframework.security.config.http; +import javax.servlet.http.HttpSession; + +import org.springframework.security.core.context.SecurityContext; + /** + * Specifies the various session creation policies for Spring Security. * * @author Luke Taylor * @since 3.1 */ -enum SessionCreationPolicy { - always, - never, - ifRequired, - stateless +public enum SessionCreationPolicy { + /** Always create an {@link HttpSession} */ + ALWAYS, + /** Spring Security will never create an {@link HttpSession}, but will use the {@link HttpSession} if it already exists */ + NEVER, + /** Spring Security will only create an {@link HttpSession} if required */ + IF_REQUIRED, + /** Spring Security will never create an {@link HttpSession} and it will never use it to obtain the {@link SecurityContext} */ + STATELESS } diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy index e35a936c7a..425996c4b2 100644 --- a/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy @@ -29,8 +29,8 @@ import org.springframework.security.config.annotation.web.builders.NamespaceHttp import org.springframework.security.config.annotation.web.builders.NamespaceHttpTests.RequestMatcherRefConfig.MyRequestMatcher import org.springframework.security.config.annotation.web.configuration.BaseWebConfig import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity -import org.springframework.security.config.annotation.web.configurers.SessionCreationPolicy import org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer +import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.Authentication import org.springframework.security.core.AuthenticationException import org.springframework.security.web.FilterInvocation @@ -147,7 +147,7 @@ public class NamespaceHttpTests extends BaseSpringSpec { protected void configure(HttpSecurity http) throws Exception { http .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.always); + .sessionCreationPolicy(SessionCreationPolicy.ALWAYS); } } @@ -167,7 +167,7 @@ public class NamespaceHttpTests extends BaseSpringSpec { protected void configure(HttpSecurity http) throws Exception { http .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.stateless); + .sessionCreationPolicy(SessionCreationPolicy.STATELESS); } } @@ -185,7 +185,7 @@ public class NamespaceHttpTests extends BaseSpringSpec { protected void configure(HttpSecurity http) throws Exception { http .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.ifRequired); + .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED); } } @@ -212,7 +212,7 @@ public class NamespaceHttpTests extends BaseSpringSpec { protected void configure(HttpSecurity http) throws Exception { http .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.never); + .sessionCreationPolicy(SessionCreationPolicy.NEVER); } } diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/PortMapperConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/PortMapperConfigurerTests.groovy index 259aa555bb..89da73fff9 100644 --- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/PortMapperConfigurerTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/PortMapperConfigurerTests.groovy @@ -22,7 +22,6 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.annotation.web.configurers.SessionCreationPolicy; import org.springframework.security.web.access.ExceptionTranslationFilter import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.SecurityContextPersistenceFilter diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy index 5abed94d4b..b3dd35904a 100644 --- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy @@ -22,7 +22,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; -import org.springframework.security.config.annotation.web.configurers.SessionCreationPolicy; +import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.web.access.ExceptionTranslationFilter import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.SecurityContextPersistenceFilter @@ -58,7 +58,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec { .requestCache(REQUEST_CACHE) .and() .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.stateless) + .sessionCreationPolicy(SessionCreationPolicy.STATELESS) } } @@ -84,7 +84,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec { .securityContextRepository(SECURITY_CONTEXT_REPO) .and() .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.stateless) + .sessionCreationPolicy(SessionCreationPolicy.STATELESS) } } @@ -103,7 +103,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec { protected void configure(HttpSecurity http) throws Exception { http .sessionManagement() - .sessionCreationPolicy(SessionCreationPolicy.stateless) + .sessionCreationPolicy(SessionCreationPolicy.STATELESS) .and() .sessionManagement() }