Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-05-31 01:02:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add session-management@session-fixation-protection=none test

Browse Source
This commit is contained in:
Rob Winch 2015-02-19 13:01:15 -06:00
parent 6a8475adbb
commit fb085cae25
1 changed files with 48 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
View File

@ -368,6 +368,54 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
!(getFilters("/someurl").find { it instanceof SessionManagementFilter})
}
def 'session-fixation-protection=none'() {
setup:
MockHttpServletRequest request = new MockHttpServletRequest(method:'POST')
request.session.id = '123'
request.setParameter('username', 'user')
request.setParameter('password', 'password')
request.servletPath = '/login'
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
httpAutoConfig {
'session-management'('session-fixation-protection': 'none')
csrf(disabled:true)
}
createAppContext()
request.session.id = '123'
when:
springSecurityFilterChain.doFilter(request,response, chain)
then:
request.session.id == '123'
}
def 'session-fixation-protection=migrateSession'() {
setup:
MockHttpServletRequest request = new MockHttpServletRequest(method:'POST')
request.session.id = '123'
request.setParameter('username', 'user')
request.setParameter('password', 'password')
request.servletPath = '/login'
MockHttpServletResponse response = new MockHttpServletResponse()
MockFilterChain chain = new MockFilterChain()
httpAutoConfig {
'session-management'('session-fixation-protection': 'migrateSession')
csrf(disabled:true)
}
createAppContext()
request.session.id = '123'
when:
springSecurityFilterChain.doFilter(request,response, chain)
then:
request.session.id != '123'
}
def disablingSessionProtectionRetainsSessionManagementFilterInvalidSessionUrlSet() {
httpAutoConfig {
'session-management'('session-fixation-protection': 'none', 'invalid-session-url': '/timeoutUrl')