Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clarifies sessionAuthenticationStrategy setter 

Fixes gh-234
This commit is contained in:
Joe Grandja 2016-04-22 11:57:01 -04:00 committed by Rob Winch
parent 491abf2600
commit e68d8bfaea
1 changed files with 19 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
View File

@ -94,6 +94,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
private final SessionAuthenticationStrategy DEFAULT_SESSION_FIXATION_STRATEGY = createDefaultSessionFixationProtectionStrategy(); private final SessionAuthenticationStrategy DEFAULT_SESSION_FIXATION_STRATEGY = createDefaultSessionFixationProtectionStrategy();
private SessionAuthenticationStrategy sessionFixationAuthenticationStrategy = DEFAULT_SESSION_FIXATION_STRATEGY; private SessionAuthenticationStrategy sessionFixationAuthenticationStrategy = DEFAULT_SESSION_FIXATION_STRATEGY;
private SessionAuthenticationStrategy sessionAuthenticationStrategy; private SessionAuthenticationStrategy sessionAuthenticationStrategy;
private SessionAuthenticationStrategy providedSessionAuthenticationStrategy;
private InvalidSessionStrategy invalidSessionStrategy; private InvalidSessionStrategy invalidSessionStrategy;
private List<SessionAuthenticationStrategy> sessionAuthenticationStrategies = new ArrayList<SessionAuthenticationStrategy>(); private List<SessionAuthenticationStrategy> sessionAuthenticationStrategies = new ArrayList<SessionAuthenticationStrategy>();
private SessionRegistry sessionRegistry; private SessionRegistry sessionRegistry;
@ -193,8 +194,11 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
* number of sessions is configured, then * number of sessions is configured, then
* {@link CompositeSessionAuthenticationStrategy} delegating to * {@link CompositeSessionAuthenticationStrategy} delegating to
* {@link ConcurrentSessionControlAuthenticationStrategy}, * {@link ConcurrentSessionControlAuthenticationStrategy},
* {@link SessionFixationProtectionStrategy} (optional), and * {@link SessionFixationProtectionStrategy} (the default) OR
* {@link RegisterSessionAuthenticationStrategy} will be used. * {@link SessionAuthenticationStrategy} the supplied sessionAuthenticationStrategy,
* {@link RegisterSessionAuthenticationStrategy}.
*
* NOTE: Supplying a custom {@link SessionAuthenticationStrategy} will override the default provided {@link SessionFixationProtectionStrategy}.
* *
* @param sessionAuthenticationStrategy * @param sessionAuthenticationStrategy
* @return the {@link SessionManagementConfigurer} for further customizations * @return the {@link SessionManagementConfigurer} for further customizations
@ -491,8 +495,13 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
return sessionAuthenticationStrategy; return sessionAuthenticationStrategy;
} }
List<SessionAuthenticationStrategy> delegateStrategies = sessionAuthenticationStrategies; List<SessionAuthenticationStrategy> delegateStrategies = sessionAuthenticationStrategies;
if(DEFAULT_SESSION_FIXATION_STRATEGY == sessionFixationAuthenticationStrategy) { SessionAuthenticationStrategy defaultSessionAuthenticationStrategy;
sessionFixationAuthenticationStrategy = postProcess(sessionFixationAuthenticationStrategy); if (providedSessionAuthenticationStrategy == null) {
// If a user provided SessionAuthenticationStrategy is not supplied
// then default to SessionFixationProtectionStrategy
defaultSessionAuthenticationStrategy = postProcess(sessionFixationAuthenticationStrategy);
} else {
defaultSessionAuthenticationStrategy = providedSessionAuthenticationStrategy;
} }
if (isConcurrentSessionControlEnabled()) { if (isConcurrentSessionControlEnabled()) {
SessionRegistry sessionRegistry = getSessionRegistry(http); SessionRegistry sessionRegistry = getSessionRegistry(http);
@ -507,11 +516,12 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
sessionRegistry); sessionRegistry);
registerSessionStrategy = postProcess(registerSessionStrategy); registerSessionStrategy = postProcess(registerSessionStrategy);
delegateStrategies.addAll(Arrays.asList(concurrentSessionControlStrategy, delegateStrategies.addAll(Arrays.asList(
sessionFixationAuthenticationStrategy, registerSessionStrategy)); concurrentSessionControlStrategy,
} defaultSessionAuthenticationStrategy,
else { registerSessionStrategy));
delegateStrategies.add(sessionFixationAuthenticationStrategy); } else {
delegateStrategies.add(defaultSessionAuthenticationStrategy);
} }
sessionAuthenticationStrategy = postProcess(new CompositeSessionAuthenticationStrategy( sessionAuthenticationStrategy = postProcess(new CompositeSessionAuthenticationStrategy(
delegateStrategies)); delegateStrategies));