From dbcb13ad14de442a73f7308a8e149b0bed88f23b Mon Sep 17 00:00:00 2001 From: Luke Taylor Date: Mon, 31 Aug 2009 22:48:49 +0000 Subject: [PATCH] SEC-1229: Redesign Concurrent Session Control implementation. Renamed session strategy interface and introduced SessionAuthenticationException for rejection of session/Authentication combination. --- .../HttpSecurityBeanDefinitionParser.java | 46 +------------------ ...HttpSecurityBeanDefinitionParserTests.java | 17 ++++--- ...bstractAuthenticationProcessingFilter.java | 8 ++-- ...onControlAuthenticatedSessionStrategy.java | 2 +- ...DefaultSessionAuthenticationStrategy.java} | 4 +- .../NullAuthenticatedSessionStrategy.java | 2 +- .../SessionAuthenticationException.java | 20 ++++++++ ...ava => SessionAuthenticationStrategy.java} | 9 ++-- .../web/session/SessionManagementFilter.java | 20 ++++---- .../AbstractProcessingFilterTests.java | 4 +- ...ltSessionAuthenticationStrategyTests.java} | 10 ++-- .../session/SessionManagementFilterTests.java | 8 ++-- 12 files changed, 66 insertions(+), 84 deletions(-) rename web/src/main/java/org/springframework/security/web/session/{DefaultAuthenticatedSessionStrategy.java => DefaultSessionAuthenticationStrategy.java} (97%) create mode 100644 web/src/main/java/org/springframework/security/web/session/SessionAuthenticationException.java rename web/src/main/java/org/springframework/security/web/session/{AuthenticatedSessionStrategy.java => SessionAuthenticationStrategy.java} (63%) rename web/src/test/java/org/springframework/security/web/session/{DefaultAuthenticatedSessionStrategyTests.java => DefaultSessionAuthenticationStrategyTests.java} (84%) diff --git a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java index 4ca33b572a..f2c9a15862 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java @@ -33,7 +33,6 @@ import org.springframework.security.access.vote.RoleVoter; import org.springframework.security.authentication.AnonymousAuthenticationProvider; import org.springframework.security.authentication.ProviderManager; import org.springframework.security.authentication.RememberMeAuthenticationProvider; -import org.springframework.security.authentication.concurrent.ConcurrentSessionControllerImpl; import org.springframework.security.config.BeanIds; import org.springframework.security.config.Elements; import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper; @@ -64,7 +63,7 @@ import org.springframework.security.web.context.SecurityContextPersistenceFilter import org.springframework.security.web.savedrequest.HttpSessionRequestCache; import org.springframework.security.web.savedrequest.RequestCacheAwareFilter; import org.springframework.security.web.session.ConcurrentSessionControlAuthenticatedSessionStrategy; -import org.springframework.security.web.session.DefaultAuthenticatedSessionStrategy; +import org.springframework.security.web.session.DefaultSessionAuthenticationStrategy; import org.springframework.security.web.session.SessionManagementFilter; import org.springframework.security.web.util.AntUrlPathMatcher; import org.springframework.security.web.util.RegexUrlPathMatcher; @@ -130,8 +129,6 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { private static final String ATT_DISABLE_URL_REWRITING = "disable-url-rewriting"; - private static final String ATT_SESSION_CONTROLLER_REF = "session-controller-ref"; - static final String OPEN_ID_AUTHENTICATION_PROCESSING_FILTER_CLASS = "org.springframework.security.openid.OpenIDAuthenticationProcessingFilter"; static final String OPEN_ID_AUTHENTICATION_PROVIDER_CLASS = "org.springframework.security.openid.OpenIDAuthenticationProvider"; static final String OPEN_ID_CONSUMER_CLASS = "org.springframework.security.openid.OpenID4JavaConsumer"; @@ -726,45 +723,6 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { return sessionControlFilter; } - private BeanReference createConcurrentSessionController(Element elt, BeanDefinition filter, BeanReference sessionRegistry, ParserContext pc) { - Element sessionCtrlElement = DomUtils.getChildElementByTagName(elt, Elements.CONCURRENT_SESSIONS); - - // Check for a custom controller -// String sessionControllerRef = sessionCtrlElement.getAttribute(ATT_SESSION_CONTROLLER_REF); -// -// if (StringUtils.hasText(sessionControllerRef)) { -// if (!StringUtils.hasText(sessionCtrlElement.getAttribute(ConcurrentSessionsBeanDefinitionParser.ATT_SESSION_REGISTRY_REF))) { -// pc.getReaderContext().error("Use of " + ATT_SESSION_CONTROLLER_REF + " requires that " + -// ConcurrentSessionsBeanDefinitionParser.ATT_SESSION_REGISTRY_REF + " is also set.", -// pc.extractSource(sessionCtrlElement)); -// } -// return new RuntimeBeanReference(sessionControllerRef); -// } - - BeanDefinitionBuilder controllerBuilder = BeanDefinitionBuilder.rootBeanDefinition(ConcurrentSessionControllerImpl.class); - controllerBuilder.getRawBeanDefinition().setSource(filter.getSource()); - controllerBuilder.setRole(BeanDefinition.ROLE_INFRASTRUCTURE); - controllerBuilder.addPropertyValue("sessionRegistry", sessionRegistry); - - String maxSessions = sessionCtrlElement.getAttribute("max-sessions"); - - if (StringUtils.hasText(maxSessions)) { - controllerBuilder.addPropertyValue("maximumSessions", maxSessions); - } - - String exceptionIfMaximumExceeded = sessionCtrlElement.getAttribute("exception-if-maximum-exceeded"); - - if (StringUtils.hasText(exceptionIfMaximumExceeded)) { - controllerBuilder.addPropertyValue("exceptionIfMaximumExceeded", exceptionIfMaximumExceeded); - } - - BeanDefinition controller = controllerBuilder.getBeanDefinition(); - - String id = pc.getReaderContext().registerWithGeneratedName(controller); - pc.registerComponent(new BeanComponentDefinition(controller, id)); - return new RuntimeBeanReference(id); - } - private BeanReference createRequestCache(Element element, ParserContext pc, boolean allowSessionCreation, String portMapperName) { BeanDefinitionBuilder requestCache = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionRequestCache.class); @@ -948,7 +906,7 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser { sessionStrategy.addPropertyValue("exceptionIfMaximumExceeded", exceptionIfMaximumExceeded); } } else if (sessionFixationProtectionRequired || StringUtils.hasText(invalidSessionUrl)) { - sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultAuthenticatedSessionStrategy.class); + sessionStrategy = BeanDefinitionBuilder.rootBeanDefinition(DefaultSessionAuthenticationStrategy.class); } else { return null; } diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java index 12aed522f7..6337651fe7 100644 --- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java @@ -71,7 +71,7 @@ import org.springframework.security.web.authentication.www.BasicProcessingFilter import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.SecurityContextPersistenceFilter; import org.springframework.security.web.savedrequest.RequestCacheAwareFilter; -import org.springframework.security.web.session.AuthenticatedSessionStrategy; +import org.springframework.security.web.session.SessionAuthenticationStrategy; import org.springframework.security.web.session.SessionManagementFilter; import org.springframework.security.web.wrapper.SecurityContextHolderAwareRequestFilter; import org.springframework.util.ReflectionUtils; @@ -115,7 +115,7 @@ public class HttpSecurityBeanDefinitionParserTests { checkAutoConfigFilters(filterList); - assertEquals(true, FieldUtils.getFieldValue(appContext.getBean("_filterChainProxy"), "stripQueryStringFromUrls")); + assertEquals(true, FieldUtils.getFieldValue(appContext.getBean(BeanIds.FILTER_CHAIN_PROXY), "stripQueryStringFromUrls")); assertEquals(true, FieldUtils.getFieldValue(filterList.get(AUTO_CONFIG_FILTERS-1), "securityMetadataSource.stripQueryStringFromUrls")); } @@ -138,8 +138,8 @@ public class HttpSecurityBeanDefinitionParserTests { assertTrue(filters.next() instanceof RequestCacheAwareFilter); assertTrue(filters.next() instanceof SecurityContextHolderAwareRequestFilter); assertTrue(filters.next() instanceof AnonymousProcessingFilter); - assertTrue(filters.next() instanceof ExceptionTranslationFilter); assertTrue(filters.next() instanceof SessionManagementFilter); + assertTrue(filters.next() instanceof ExceptionTranslationFilter); Object fsiObj = filters.next(); assertTrue(fsiObj instanceof FilterSecurityInterceptor); FilterSecurityInterceptor fsi = (FilterSecurityInterceptor) fsiObj; @@ -363,7 +363,7 @@ public class HttpSecurityBeanDefinitionParserTests { setContext("" + AUTH_PROVIDER_XML); List filters = getFilters("/someurl"); - ExceptionTranslationFilter etf = (ExceptionTranslationFilter) filters.get(filters.size() - 3); + ExceptionTranslationFilter etf = (ExceptionTranslationFilter) filters.get(filters.size() - 2); assertEquals("/access-denied", FieldUtils.getFieldValue(etf, "accessDeniedHandler.errorPage")); } @@ -755,7 +755,7 @@ public class HttpSecurityBeanDefinitionParserTests { "" + " " + "" + AUTH_PROVIDER_XML); - AuthenticatedSessionStrategy seshStrategy = (AuthenticatedSessionStrategy) FieldUtils.getFieldValue( + SessionAuthenticationStrategy seshStrategy = (SessionAuthenticationStrategy) FieldUtils.getFieldValue( getFilter(SessionManagementFilter.class), "sessionStrategy"); UsernamePasswordAuthenticationToken auth = new UsernamePasswordAuthenticationToken("bob", "pass"); // Register 2 sessions and then check a third @@ -782,7 +782,7 @@ public class HttpSecurityBeanDefinitionParserTests { "" + "" + "" + AUTH_PROVIDER_XML); - ExceptionTranslationFilter etf = (ExceptionTranslationFilter) getFilters("/someurl").get(AUTO_CONFIG_FILTERS-3); + ExceptionTranslationFilter etf = (ExceptionTranslationFilter) getFilters("/someurl").get(AUTO_CONFIG_FILTERS-2); assertTrue("ExceptionTranslationFilter should be configured with custom entry point", etf.getAuthenticationEntryPoint() instanceof MockEntryPoint); } @@ -810,8 +810,7 @@ public class HttpSecurityBeanDefinitionParserTests { setContext( "" + AUTH_PROVIDER_XML); List filters = getFilters("/someurl"); - assertTrue(filters.get(8) instanceof ExceptionTranslationFilter); - assertFalse(filters.get(9) instanceof SessionManagementFilter); + assertFalse(filters.get(8) instanceof SessionManagementFilter); } @Test @@ -820,7 +819,7 @@ public class HttpSecurityBeanDefinitionParserTests { "" + AUTH_PROVIDER_XML); List filters = getFilters("/someurl"); - Object filter = filters.get(9); + Object filter = filters.get(8); assertTrue(filter instanceof SessionManagementFilter); assertEquals("/timeoutUrl", FieldUtils.getProtectedFieldValue("invalidSessionUrl", filter)); } diff --git a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java index ad2319ecb6..75d418902e 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java @@ -37,7 +37,7 @@ import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.SpringSecurityMessageSource; import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.web.session.AuthenticatedSessionStrategy; +import org.springframework.security.web.session.SessionAuthenticationStrategy; import org.springframework.security.web.session.NullAuthenticatedSessionStrategy; import org.springframework.security.web.util.UrlUtils; import org.springframework.util.Assert; @@ -130,7 +130,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt private boolean continueChainBeforeSuccessfulAuthentication = false; - private AuthenticatedSessionStrategy sessionStrategy = new NullAuthenticatedSessionStrategy(); + private SessionAuthenticationStrategy sessionStrategy = new NullAuthenticatedSessionStrategy(); private boolean allowSessionCreation = true; @@ -273,7 +273,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt * Default behaviour for successful authentication. *
    *
  1. Sets the successful Authentication object on the {@link SecurityContextHolder}
    2. - *
  2. Invokes the configured {@link AuthenticatedSessionStrategy} to handle any session-related behaviour + *
  3. Invokes the configured {@link SessionAuthenticationStrategy} to handle any session-related behaviour * (such as creating a new session to protect against session-fixation attacks).
    4. *
  4. Informs the configured RememberMeServices of the successful login
    5. *
  5. Fires an {@link InteractiveAuthenticationSuccessEvent} via the configured @@ -400,7 +400,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt * @param sessionStrategy the implementation to use. If not set a null implementation is * used. */ - public void setAuthenticatedSessionStrategy(AuthenticatedSessionStrategy sessionStrategy) { + public void setAuthenticatedSessionStrategy(SessionAuthenticationStrategy sessionStrategy) { this.sessionStrategy = sessionStrategy; } diff --git a/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionControlAuthenticatedSessionStrategy.java b/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionControlAuthenticatedSessionStrategy.java index c28cdd4d09..d90a77b213 100644 --- a/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionControlAuthenticatedSessionStrategy.java +++ b/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionControlAuthenticatedSessionStrategy.java @@ -23,7 +23,7 @@ import org.springframework.util.Assert; * @version $Id$ * @since 3.0 */ -public class ConcurrentSessionControlAuthenticatedSessionStrategy extends DefaultAuthenticatedSessionStrategy +public class ConcurrentSessionControlAuthenticatedSessionStrategy extends DefaultSessionAuthenticationStrategy implements MessageSourceAware { protected MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor(); private final SessionRegistry sessionRegistry; diff --git a/web/src/main/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategy.java b/web/src/main/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategy.java similarity index 97% rename from web/src/main/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategy.java rename to web/src/main/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategy.java index 402d004b61..2be9f56819 100644 --- a/web/src/main/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategy.java +++ b/web/src/main/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategy.java @@ -16,7 +16,7 @@ import org.springframework.security.core.Authentication; import org.springframework.security.web.savedrequest.SavedRequest; /** - * The default implementation of {@link AuthenticatedSessionStrategy}. + * The default implementation of {@link SessionAuthenticationStrategy}. *

    * Creates a new session for the newly authenticated user if they already have a session (as a defence against * session-fixation protection attacks), and copies their @@ -32,7 +32,7 @@ import org.springframework.security.web.savedrequest.SavedRequest; * @version $Id$ * @since 3.0 */ -public class DefaultAuthenticatedSessionStrategy implements AuthenticatedSessionStrategy { +public class DefaultSessionAuthenticationStrategy implements SessionAuthenticationStrategy { protected final Log logger = LogFactory.getLog(this.getClass()); /** diff --git a/web/src/main/java/org/springframework/security/web/session/NullAuthenticatedSessionStrategy.java b/web/src/main/java/org/springframework/security/web/session/NullAuthenticatedSessionStrategy.java index 28d2bd4c81..401488e295 100644 --- a/web/src/main/java/org/springframework/security/web/session/NullAuthenticatedSessionStrategy.java +++ b/web/src/main/java/org/springframework/security/web/session/NullAuthenticatedSessionStrategy.java @@ -11,7 +11,7 @@ import org.springframework.security.core.Authentication; * @version $Id$ * @since 3.0 */ -public final class NullAuthenticatedSessionStrategy implements AuthenticatedSessionStrategy { +public final class NullAuthenticatedSessionStrategy implements SessionAuthenticationStrategy { public void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) { diff --git a/web/src/main/java/org/springframework/security/web/session/SessionAuthenticationException.java b/web/src/main/java/org/springframework/security/web/session/SessionAuthenticationException.java new file mode 100644 index 0000000000..d1b83850de --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/session/SessionAuthenticationException.java @@ -0,0 +1,20 @@ +package org.springframework.security.web.session; + +import org.springframework.security.core.AuthenticationException; + +/** + * Thrown by an SessionAuthenticationStrategy to indicate that an authentication object is not valid for + * the current session, typically because the same user has exceeded the number of sessions they are allowed to have + * concurrently. + * + * @author Luke Taylor + * @version $Id$ + * @since 3.0 + */ +public class SessionAuthenticationException extends AuthenticationException { + + public SessionAuthenticationException(String msg) { + super(msg); + } + +} diff --git a/web/src/main/java/org/springframework/security/web/session/AuthenticatedSessionStrategy.java b/web/src/main/java/org/springframework/security/web/session/SessionAuthenticationStrategy.java similarity index 63% rename from web/src/main/java/org/springframework/security/web/session/AuthenticatedSessionStrategy.java rename to web/src/main/java/org/springframework/security/web/session/SessionAuthenticationStrategy.java index a11f871ec6..aadc3d57c9 100644 --- a/web/src/main/java/org/springframework/security/web/session/AuthenticatedSessionStrategy.java +++ b/web/src/main/java/org/springframework/security/web/session/SessionAuthenticationStrategy.java @@ -7,7 +7,7 @@ import org.springframework.security.core.Authentication; import org.springframework.security.core.AuthenticationException; /** - * Allows pluggable support for Http session-related behaviour when an authentication occurs. + * Allows pluggable support for HttpSession-related behaviour when an authentication occurs. *

    * Typical use would be to make sure a session exists or to change the session Id to guard against session-fixation * attacks. @@ -16,14 +16,15 @@ import org.springframework.security.core.AuthenticationException; * @version $Id$ * @since */ -public interface AuthenticatedSessionStrategy { +public interface SessionAuthenticationStrategy { /** * Performs Http session-related functionality when a new authentication occurs. * - * @throws AuthenticationException if it is decided that the authentication is not allowed for the session. + * @throws SessionAuthenticationException if it is decided that the authentication is not allowed for the session. + * This will typically be because the user has too many sessions open at once. */ void onAuthentication(Authentication authentication, HttpServletRequest request, HttpServletResponse response) - throws AuthenticationException; + throws SessionAuthenticationException; } diff --git a/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java index 3cd60d9051..7961fde51c 100644 --- a/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java +++ b/web/src/main/java/org/springframework/security/web/session/SessionManagementFilter.java @@ -21,10 +21,8 @@ import org.springframework.web.filter.GenericFilterBean; /** * Detects that a user has been authenticated since the start of the request and, if they have, calls the - * configured {@link AuthenticatedSessionStrategy} to perform any session-related activity (such as - * activating session-fixation protection mechanisms). - *

    - * This is essentially a generalization of the functionality that was implemented for SEC-399. + * configured {@link SessionAuthenticationStrategy} to perform any session-related activity such as + * activating session-fixation protection mechanisms or checking for multiple concurrent logins. * * @author Martin Algesten * @author Luke Taylor @@ -39,7 +37,7 @@ public class SessionManagementFilter extends GenericFilterBean { //~ Instance fields ================================================================================================ private final SecurityContextRepository securityContextRepository; - private AuthenticatedSessionStrategy sessionStrategy = new DefaultAuthenticatedSessionStrategy(); + private SessionAuthenticationStrategy sessionStrategy = new DefaultSessionAuthenticationStrategy(); private AuthenticationTrustResolver authenticationTrustResolver = new AuthenticationTrustResolverImpl(); private String invalidSessionUrl; private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy(); @@ -65,7 +63,13 @@ public class SessionManagementFilter extends GenericFilterBean { if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) { // The user has been authenticated during the current request, so call the session strategy - sessionStrategy.onAuthentication(authentication, request, response); + try { + sessionStrategy.onAuthentication(authentication, request, response); + } catch (SessionAuthenticationException e) { + // The session strategy can reject the authentication + logger.debug("SessionAuthenticationStrategy rejected the authentication object",e); + SecurityContextHolder.clearContext(); + } } else { // No security context or authentication present. Check for a session timeout if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) { @@ -83,9 +87,9 @@ public class SessionManagementFilter extends GenericFilterBean { * Sets the strategy object which handles the session management behaviour when a * user has been authenticated during the current request. * - * @param sessionStrategy the strategy object. If not set, a {@link DefaultAuthenticatedSessionStrategy} is used. + * @param sessionStrategy the strategy object. If not set, a {@link DefaultSessionAuthenticationStrategy} is used. */ - public void setAuthenticatedSessionStrategy(AuthenticatedSessionStrategy sessionStrategy) { + public void setAuthenticatedSessionStrategy(SessionAuthenticationStrategy sessionStrategy) { Assert.notNull(sessionStrategy, "authenticatedSessionStratedy must not be null"); this.sessionStrategy = sessionStrategy; } diff --git a/web/src/test/java/org/springframework/security/web/authentication/AbstractProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/AbstractProcessingFilterTests.java index 5db5708cf4..a116801aca 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/AbstractProcessingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/AbstractProcessingFilterTests.java @@ -50,7 +50,7 @@ import org.springframework.security.web.authentication.SavedRequestAwareAuthenti import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices; import org.springframework.security.web.savedrequest.SavedRequest; -import org.springframework.security.web.session.AuthenticatedSessionStrategy; +import org.springframework.security.web.session.SessionAuthenticationStrategy; /** @@ -240,7 +240,7 @@ public class AbstractProcessingFilterTests extends TestCase { MockAbstractProcessingFilter filter = new MockAbstractProcessingFilter(true); filter.setFilterProcessesUrl("/j_mock_post"); - filter.setAuthenticatedSessionStrategy(mock(AuthenticatedSessionStrategy.class)); + filter.setAuthenticatedSessionStrategy(mock(SessionAuthenticationStrategy.class)); filter.setAuthenticationSuccessHandler(successHandler); filter.setAuthenticationFailureHandler(failureHandler); filter.setAuthenticationManager(mock(AuthenticationManager.class)); diff --git a/web/src/test/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategyTests.java b/web/src/test/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategyTests.java similarity index 84% rename from web/src/test/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategyTests.java rename to web/src/test/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategyTests.java index 5d33f633e0..fe78bb5373 100644 --- a/web/src/test/java/org/springframework/security/web/session/DefaultAuthenticatedSessionStrategyTests.java +++ b/web/src/test/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategyTests.java @@ -18,11 +18,11 @@ import org.springframework.security.web.savedrequest.SavedRequest; * @author Luke Taylor * @version $Id$ */ -public class DefaultAuthenticatedSessionStrategyTests { +public class DefaultSessionAuthenticationStrategyTests { @Test public void newSessionShouldNotBeCreatedIfNoSessionExistsAndAlwaysCreateIsFalse() throws Exception { - DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy(); + DefaultSessionAuthenticationStrategy strategy = new DefaultSessionAuthenticationStrategy(); HttpServletRequest request = new MockHttpServletRequest(); strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse()); @@ -32,7 +32,7 @@ public class DefaultAuthenticatedSessionStrategyTests { // @Test // public void newSessionIsCreatedIfSessionAlreadyExists() throws Exception { -// DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy(); +// DefaultSessionAuthenticationStrategy strategy = new DefaultSessionAuthenticationStrategy(); // strategy.setSessionRegistry(mock(SessionRegistry.class)); // HttpServletRequest request = new MockHttpServletRequest(); // String sessionId = request.getSession().getId(); @@ -45,7 +45,7 @@ public class DefaultAuthenticatedSessionStrategyTests { // See SEC-1077 @Test public void onlySavedRequestAttributeIsMigratedIfMigrateAttributesIsFalse() throws Exception { - DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy(); + DefaultSessionAuthenticationStrategy strategy = new DefaultSessionAuthenticationStrategy(); strategy.setMigrateSessionAttributes(false); HttpServletRequest request = new MockHttpServletRequest(); HttpSession session = request.getSession(); @@ -60,7 +60,7 @@ public class DefaultAuthenticatedSessionStrategyTests { @Test public void sessionIsCreatedIfAlwaysCreateTrue() throws Exception { - DefaultAuthenticatedSessionStrategy strategy = new DefaultAuthenticatedSessionStrategy(); + DefaultSessionAuthenticationStrategy strategy = new DefaultSessionAuthenticationStrategy(); strategy.setAlwaysCreateSession(true); HttpServletRequest request = new MockHttpServletRequest(); strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse()); diff --git a/web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java b/web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java index a8aef52319..e5a3eb9431 100644 --- a/web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java @@ -44,7 +44,7 @@ public class SessionManagementFilterTests { @Test public void strategyIsNotInvokedIfSecurityContextAlreadyExistsForRequest() throws Exception { SecurityContextRepository repo = mock(SecurityContextRepository.class); - AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class); + SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class); // mock that repo contains a security context when(repo.containsContext(any(HttpServletRequest.class))).thenReturn(true); SessionManagementFilter filter = new SessionManagementFilter(repo); @@ -60,7 +60,7 @@ public class SessionManagementFilterTests { @Test public void strategyIsNotInvokedIfAuthenticationIsNull() throws Exception { SecurityContextRepository repo = mock(SecurityContextRepository.class); - AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class); + SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class); SessionManagementFilter filter = new SessionManagementFilter(repo); filter.setAuthenticatedSessionStrategy(strategy); HttpServletRequest request = new MockHttpServletRequest(); @@ -74,7 +74,7 @@ public class SessionManagementFilterTests { public void strategyIsInvokedIfUserIsNewlyAuthenticated() throws Exception { SecurityContextRepository repo = mock(SecurityContextRepository.class); // repo will return false to containsContext() - AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class); + SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class); SessionManagementFilter filter = new SessionManagementFilter(repo); filter.setAuthenticatedSessionStrategy(strategy); HttpServletRequest request = new MockHttpServletRequest(); @@ -92,7 +92,7 @@ public class SessionManagementFilterTests { public void responseIsRedirectedToTimeoutUrlIfSetAndSessionIsInvalid() throws Exception { SecurityContextRepository repo = mock(SecurityContextRepository.class); // repo will return false to containsContext() - AuthenticatedSessionStrategy strategy = mock(AuthenticatedSessionStrategy.class); + SessionAuthenticationStrategy strategy = mock(SessionAuthenticationStrategy.class); SessionManagementFilter filter = new SessionManagementFilter(repo); filter.setAuthenticatedSessionStrategy(strategy); MockHttpServletRequest request = new MockHttpServletRequest();