Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Prevent NullPointerException when session ID changes 

The old session ID may not exist in the session registry if the user is not authenticated.

Closes gh-9011
This commit is contained in:
Eleftheria Stein 2020-09-18 10:50:20 +02:00
parent 6e6d382357
commit a5b97bb569
2 changed files with 24 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
core/src/main/java/org/springframework/security/core/session/SessionRegistryImpl.java
View File

@ -108,9 +108,11 @@ public class SessionRegistryImpl implements SessionRegistry, ApplicationListener
else if (event instanceof SessionIdChangedEvent) { else if (event instanceof SessionIdChangedEvent) {
SessionIdChangedEvent sessionIdChangedEvent = (SessionIdChangedEvent) event; SessionIdChangedEvent sessionIdChangedEvent = (SessionIdChangedEvent) event;
String oldSessionId = sessionIdChangedEvent.getOldSessionId(); String oldSessionId = sessionIdChangedEvent.getOldSessionId();
Object principal = this.sessionIds.get(oldSessionId).getPrincipal(); if (this.sessionIds.containsKey(oldSessionId)) {
removeSessionInformation(oldSessionId); Object principal = this.sessionIds.get(oldSessionId).getPrincipal();
registerNewSession(sessionIdChangedEvent.getNewSessionId(), principal); removeSessionInformation(oldSessionId);
registerNewSession(sessionIdChangedEvent.getNewSessionId(), principal);
}
} }
} }

19
core/src/test/java/org/springframework/security/core/session/SessionRegistryImplTests.java
View File

@ -173,6 +173,25 @@ public class SessionRegistryImplTests {
assertThat(this.sessionRegistry.getAllSessions(principal, false)).isEmpty(); assertThat(this.sessionRegistry.getAllSessions(principal, false)).isEmpty();
} }
@Test
public void sessionIdChangedEventWhenSessionIdNotSavedThenDoesNothing() {
final String oldSessionId = "old-session-id";
final String newSessionId = "new-session-id";
this.sessionRegistry.onApplicationEvent(new SessionIdChangedEvent("") {
@Override
public String getOldSessionId() {
return oldSessionId;
}
@Override
public String getNewSessionId() {
return newSessionId;
}
});
assertThat(this.sessionRegistry.getSessionInformation(oldSessionId)).isNull();
assertThat(this.sessionRegistry.getSessionInformation(newSessionId)).isNull();
}
private boolean contains(String sessionId, Object principal) { private boolean contains(String sessionId, Object principal) {
List<SessionInformation> info = this.sessionRegistry.getAllSessions(principal, false); List<SessionInformation> info = this.sessionRegistry.getAllSessions(principal, false);
for (SessionInformation sessionInformation : info) { for (SessionInformation sessionInformation : info) {