From a4c088a3b3965b94fd2aefb6a49fdcb87ecb7e78 Mon Sep 17 00:00:00 2001 From: Bogdan Ilchyshyn Date: Tue, 6 Jul 2021 07:14:29 +1000 Subject: [PATCH] Introducing WebSessionServerLogoutHandler Closes gh-4838 --- .../logout/WebSessionServerLogoutHandler.java | 38 ++++++++++++ .../WebSessionServerLogoutHandlerTests.java | 58 +++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 web/src/main/java/org/springframework/security/web/server/authentication/logout/WebSessionServerLogoutHandler.java create mode 100644 web/src/test/java/org/springframework/security/web/server/authentication/logout/WebSessionServerLogoutHandlerTests.java diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/logout/WebSessionServerLogoutHandler.java b/web/src/main/java/org/springframework/security/web/server/authentication/logout/WebSessionServerLogoutHandler.java new file mode 100644 index 0000000000..34919d13da --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/server/authentication/logout/WebSessionServerLogoutHandler.java @@ -0,0 +1,38 @@ +/* + * Copyright 2002-2021 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.server.authentication.logout; + +import reactor.core.publisher.Mono; + +import org.springframework.security.core.Authentication; +import org.springframework.security.web.server.WebFilterExchange; +import org.springframework.web.server.WebSession; + +/** + * A {@link ServerLogoutHandler} which invalidates the active {@link WebSession}. + * + * @author Bogdan Ilchyshyn + * @since 5.6 + */ +public class WebSessionServerLogoutHandler implements ServerLogoutHandler { + + @Override + public Mono logout(WebFilterExchange exchange, Authentication authentication) { + return exchange.getExchange().getSession().flatMap(WebSession::invalidate); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/server/authentication/logout/WebSessionServerLogoutHandlerTests.java b/web/src/test/java/org/springframework/security/web/server/authentication/logout/WebSessionServerLogoutHandlerTests.java new file mode 100644 index 0000000000..780658593b --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/server/authentication/logout/WebSessionServerLogoutHandlerTests.java @@ -0,0 +1,58 @@ +/* + * Copyright 2002-2021 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.server.authentication.logout; + +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.extension.ExtendWith; +import org.mockito.Mock; +import org.mockito.junit.jupiter.MockitoExtension; +import reactor.core.publisher.Mono; + +import org.springframework.security.core.Authentication; +import org.springframework.security.web.server.WebFilterExchange; +import org.springframework.web.server.ServerWebExchange; +import org.springframework.web.server.WebSession; + +import static org.mockito.Mockito.doReturn; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; + +@ExtendWith(MockitoExtension.class) +public class WebSessionServerLogoutHandlerTests { + + @Mock + ServerWebExchange webExchange; + + @Mock + WebFilterExchange filterExchange; + + @Mock + WebSession webSession; + + @Test + public void shouldInvalidateWebSession() { + doReturn(this.webExchange).when(this.filterExchange).getExchange(); + doReturn(Mono.just(this.webSession)).when(this.webExchange).getSession(); + doReturn(Mono.empty()).when(this.webSession).invalidate(); + + WebSessionServerLogoutHandler handler = new WebSessionServerLogoutHandler(); + handler.logout(this.filterExchange, mock(Authentication.class)).block(); + + verify(this.webSession).invalidate(); + } + +}