Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SEC-2055: SaveContextServletOutputStream flush/close delegates to original ServletOutputStream instead of using super

This commit is contained in:
Rob Winch 2012-09-19 08:59:39 -05:00
parent abe5e4af48
commit dbc88f3226
2 changed files with 36 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java
View File

@ -203,16 +203,14 @@ public abstract class SaveContextOnUpdateOrErrorResponseWrapper extends HttpServ
this.delegate.write(b); this.delegate.write(b);
} }
@Override
public void flush() throws IOException { public void flush() throws IOException {
doSaveContext(); doSaveContext();
super.flush(); delegate.flush();
} }
@Override
public void close() throws IOException { public void close() throws IOException {
doSaveContext(); doSaveContext();
super.close(); delegate.close();
} }
} }
} }

34
web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
View File

@ -16,6 +16,8 @@ import static org.junit.Assert.*;
import static org.mockito.Mockito.*; import static org.mockito.Mockito.*;
import static org.springframework.security.web.context.HttpSessionSecurityContextRepository.*; import static org.springframework.security.web.context.HttpSessionSecurityContextRepository.*;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession; import javax.servlet.http.HttpSession;
import org.junit.After; import org.junit.After;
@ -257,6 +259,38 @@ public class HttpSessionSecurityContextRepositoryTests {
assertEquals(SecurityContextHolder.getContext(), request.getSession().getAttribute("imTheContext")); assertEquals(SecurityContextHolder.getContext(), request.getSession().getAttribute("imTheContext"));
} }
// SEC-SEC-2055
@Test
public void outputStreamCloseDelegate() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
repo.setSpringSecurityContextKey("imTheContext");
MockHttpServletRequest request = new MockHttpServletRequest();
HttpServletResponse response = mock(HttpServletResponse.class);
ServletOutputStream outputstream = mock(ServletOutputStream.class);
when(response.getOutputStream()).thenReturn(outputstream);
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContextHolder.setContext(repo.loadContext(holder));
SecurityContextHolder.getContext().setAuthentication(testToken);
holder.getResponse().getOutputStream().close();
verify(outputstream).close();
}
// SEC-SEC-2055
@Test
public void outputStreamFlushesDelegate() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
repo.setSpringSecurityContextKey("imTheContext");
MockHttpServletRequest request = new MockHttpServletRequest();
HttpServletResponse response = mock(HttpServletResponse.class);
ServletOutputStream outputstream = mock(ServletOutputStream.class);
when(response.getOutputStream()).thenReturn(outputstream);
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContextHolder.setContext(repo.loadContext(holder));
SecurityContextHolder.getContext().setAuthentication(testToken);
holder.getResponse().getOutputStream().flush();
verify(outputstream).flush();
}
@Test @Test
public void noSessionIsCreatedIfSessionWasInvalidatedDuringTheRequest() throws Exception { public void noSessionIsCreatedIfSessionWasInvalidatedDuringTheRequest() throws Exception {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository(); HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();