Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-03-04 20:39:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-2239: Remove duplicate SessionCreationPolicy

Browse Source
This commit is contained in:
Rob Winch 2013-07-31 10:29:19 -05:00
parent 606bddf598
commit a1bf28a697
9 changed files with 57 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java
View File

@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.web.configurers;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
@ -86,7 +87,7 @@ public final class SecurityContextConfigurer<H extends HttpSecurityBuilder<H>> e
SessionManagementConfigurer<?> sessionManagement = http.getConfigurer(SessionManagementConfigurer.class);
SessionCreationPolicy sessionCreationPolicy = sessionManagement == null ? null
: sessionManagement.getSessionCreationPolicy();
if (SessionCreationPolicy.always == sessionCreationPolicy) {
if (SessionCreationPolicy.ALWAYS == sessionCreationPolicy) {
securityContextFilter.setForceEagerSessionCreation(true);
}
securityContextFilter = postProcess(securityContextFilter);

39
config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionCreationPolicy.java
View File

@ -1,39 +0,0 @@
/*
* Copyright 2002-2013 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config.annotation.web.configurers;
import javax.servlet.http.HttpSession;
import org.springframework.security.core.context.SecurityContext;
/**
* Specifies the various session creation policies for Spring Security.
*
* FIXME this should be removed once {@link org.springframework.security.config.http.SessionCreationPolicy} is made public.
*
* @author Rob Winch
* @since 3.2
*/
public enum SessionCreationPolicy {
/** Always create an {@link HttpSession} */
always,
/** Spring Security will never create an {@link HttpSession}, but will use the {@link HttpSession} if it already exists */
never,
/** Spring Security will only create an {@link HttpSession} if required */
ifRequired,
/** Spring Security will never create an {@link HttpSession} and it will never use it to obtain the {@link SecurityContext} */
stateless
}

7
config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
View File

@ -19,6 +19,7 @@ import javax.servlet.http.HttpServletResponse;
import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
@ -74,7 +75,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
private Integer maximumSessions;
private String expiredUrl;
private boolean maxSessionsPreventsLogin;
private SessionCreationPolicy sessionPolicy = SessionCreationPolicy.ifRequired;
private SessionCreationPolicy sessionPolicy = SessionCreationPolicy.IF_REQUIRED;
private boolean enableSessionUrlRewriting;
private String invalidSessionUrl;
private String sessionAuthenticationErrorUrl;
@ -289,7 +290,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
* @return true if the {@link SessionCreationPolicy} allows session creation
*/
private boolean isAllowSessionCreation() {
return SessionCreationPolicy.always == sessionPolicy || SessionCreationPolicy.ifRequired == sessionPolicy;
return SessionCreationPolicy.ALWAYS == sessionPolicy || SessionCreationPolicy.IF_REQUIRED == sessionPolicy;
}
/**
@ -297,7 +298,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
* @return
*/
private boolean isStateless() {
return SessionCreationPolicy.stateless == sessionPolicy;
return SessionCreationPolicy.STATELESS == sessionPolicy;
}
/**

4
config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java
View File

@ -132,8 +132,8 @@ final class AuthenticationConfigBuilder {
this.pc = pc;
this.requestCache = requestCache;
autoConfig = "true".equals(element.getAttribute(ATT_AUTO_CONFIG));
this.allowSessionCreation = sessionPolicy != SessionCreationPolicy.never
&& sessionPolicy != SessionCreationPolicy.stateless;
this.allowSessionCreation = sessionPolicy != SessionCreationPolicy.NEVER
&& sessionPolicy != SessionCreationPolicy.STATELESS;
this.portMapper = portMapper;
this.portResolver = portResolver;

38
config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
View File

@ -139,9 +139,9 @@ class HttpConfigurationBuilder {
String createSession = element.getAttribute(ATT_CREATE_SESSION);
if (StringUtils.hasText(createSession)) {
sessionPolicy = SessionCreationPolicy.valueOf(createSession);
sessionPolicy = createPolicy(createSession);
} else {
sessionPolicy = SessionCreationPolicy.ifRequired;
sessionPolicy = SessionCreationPolicy.IF_REQUIRED;
}
createSecurityContextPersistenceFilter();
@ -155,6 +155,20 @@ class HttpConfigurationBuilder {
createAddHeadersFilter();
}
private SessionCreationPolicy createPolicy(String createSession) {
if("ifRequired".equals(createSession)) {
return SessionCreationPolicy.IF_REQUIRED;
} else if("always".equals(createSession)) {
return SessionCreationPolicy.ALWAYS;
} else if("never".equals(createSession)) {
return SessionCreationPolicy.NEVER;
} else if("stateless".equals(createSession)) {
return SessionCreationPolicy.STATELESS;
}
throw new IllegalStateException("Cannot convert " + createSession + " to " + SessionCreationPolicy.class.getName());
}
@SuppressWarnings("rawtypes")
void setLogoutHandlers(ManagedList logoutHandlers) {
if(logoutHandlers != null) {
@ -185,21 +199,21 @@ class HttpConfigurationBuilder {
String disableUrlRewriting = httpElt.getAttribute(ATT_DISABLE_URL_REWRITING);
if (StringUtils.hasText(repoRef)) {
if (sessionPolicy == SessionCreationPolicy.always) {
if (sessionPolicy == SessionCreationPolicy.ALWAYS) {
scpf.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
}
} else {
BeanDefinitionBuilder contextRepo;
if (sessionPolicy == SessionCreationPolicy.stateless) {
if (sessionPolicy == SessionCreationPolicy.STATELESS) {
contextRepo = BeanDefinitionBuilder.rootBeanDefinition(NullSecurityContextRepository.class);
} else {
contextRepo = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class);
switch (sessionPolicy) {
case always:
case ALWAYS:
contextRepo.addPropertyValue("allowSessionCreation", Boolean.TRUE);
scpf.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
break;
case never:
case NEVER:
contextRepo.addPropertyValue("allowSessionCreation", Boolean.FALSE);
scpf.addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
break;
@ -234,9 +248,9 @@ class HttpConfigurationBuilder {
String errorUrl = null;
if (sessionMgmtElt != null) {
if (sessionPolicy == SessionCreationPolicy.stateless) {
if (sessionPolicy == SessionCreationPolicy.STATELESS) {
pc.getReaderContext().error(Elements.SESSION_MANAGEMENT + " cannot be used" +
" in combination with " + ATT_CREATE_SESSION + "='"+ SessionCreationPolicy.stateless +"'",
" in combination with " + ATT_CREATE_SESSION + "='"+ SessionCreationPolicy.STATELESS +"'",
pc.extractSource(sessionMgmtElt));
}
sessionFixationAttribute = sessionMgmtElt.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
@ -261,7 +275,7 @@ class HttpConfigurationBuilder {
" in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionMgmtElt));
}
if (sessionPolicy == SessionCreationPolicy.stateless) {
if (sessionPolicy == SessionCreationPolicy.STATELESS) {
// SEC-1424: do nothing
return;
}
@ -482,11 +496,11 @@ class HttpConfigurationBuilder {
} else {
BeanDefinitionBuilder requestCacheBldr;
if (sessionPolicy == SessionCreationPolicy.stateless) {
if (sessionPolicy == SessionCreationPolicy.STATELESS) {
requestCacheBldr = BeanDefinitionBuilder.rootBeanDefinition(NullRequestCache.class);
} else {
requestCacheBldr = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionRequestCache.class);
requestCacheBldr.addPropertyValue("createSessionAllowed", sessionPolicy == SessionCreationPolicy.ifRequired);
requestCacheBldr.addPropertyValue("createSessionAllowed", sessionPolicy == SessionCreationPolicy.IF_REQUIRED);
requestCacheBldr.addPropertyValue("portResolver", portResolver);
}
@ -607,7 +621,7 @@ class HttpConfigurationBuilder {
filters.add(new OrderDecorator(fsi, FILTER_SECURITY_INTERCEPTOR));
if (sessionPolicy != SessionCreationPolicy.stateless) {
if (sessionPolicy != SessionCreationPolicy.STATELESS) {
filters.add(new OrderDecorator(requestCacheAwareFilter, REQUEST_CACHE_FILTER));
}

19
config/src/main/java/org/springframework/security/config/http/SessionCreationPolicy.java
View File

@ -1,13 +1,22 @@
package org.springframework.security.config.http;
import javax.servlet.http.HttpSession;
import org.springframework.security.core.context.SecurityContext;
/**
* Specifies the various session creation policies for Spring Security.
*
* @author Luke Taylor
* @since 3.1
*/
enum SessionCreationPolicy {
always,
never,
ifRequired,
stateless
public enum SessionCreationPolicy {
/** Always create an {@link HttpSession} */
ALWAYS,
/** Spring Security will never create an {@link HttpSession}, but will use the {@link HttpSession} if it already exists */
NEVER,
/** Spring Security will only create an {@link HttpSession} if required */
IF_REQUIRED,
/** Spring Security will never create an {@link HttpSession} and it will never use it to obtain the {@link SecurityContext} */
STATELESS
}

10
config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy
View File

@ -29,8 +29,8 @@ import org.springframework.security.config.annotation.web.builders.NamespaceHttp
import org.springframework.security.config.annotation.web.builders.NamespaceHttpTests.RequestMatcherRefConfig.MyRequestMatcher
import org.springframework.security.config.annotation.web.configuration.BaseWebConfig
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
import org.springframework.security.config.annotation.web.configurers.SessionCreationPolicy
import org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.Authentication
import org.springframework.security.core.AuthenticationException
import org.springframework.security.web.FilterInvocation
@ -147,7 +147,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.always);
.sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
}
}
@ -167,7 +167,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.stateless);
.sessionCreationPolicy(SessionCreationPolicy.STATELESS);
}
}
@ -185,7 +185,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.ifRequired);
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
}
}
@ -212,7 +212,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.never);
.sessionCreationPolicy(SessionCreationPolicy.NEVER);
}
}

1
config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/PortMapperConfigurerTests.groovy
View File

@ -22,7 +22,6 @@ import org.springframework.security.config.annotation.authentication.builders.Au
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.SessionCreationPolicy;
import org.springframework.security.web.access.ExceptionTranslationFilter
import org.springframework.security.web.context.NullSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextPersistenceFilter

8
config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy
View File

@ -22,7 +22,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.configurers.SessionCreationPolicy;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.access.ExceptionTranslationFilter
import org.springframework.security.web.context.NullSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextPersistenceFilter
@ -58,7 +58,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
.requestCache(REQUEST_CACHE)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.stateless)
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
}
}
@ -84,7 +84,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
.securityContextRepository(SECURITY_CONTEXT_REPO)
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.stateless)
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
}
}
@ -103,7 +103,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.stateless)
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.sessionManagement()
}