From fb085cae25adcf2ae584ad85c708fc1630c20865 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@gopivotal.com>
Date: Thu, 19 Feb 2015 13:01:15 -0600
Subject: [PATCH] Add session-management@session-fixation-protection=none test

---
 .../http/SessionManagementConfigTests.groovy  | 48 +++++++++++++++++++
 1 file changed, 48 insertions(+)

diff --git a/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy b/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
index 2008e8dcba..e5653ae023 100644
--- a/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
@@ -368,6 +368,54 @@ class SessionManagementConfigTests extends AbstractHttpConfigTests {
         !(getFilters("/someurl").find { it instanceof SessionManagementFilter})
     }
 
+    def 'session-fixation-protection=none'() {
+        setup:
+        MockHttpServletRequest request = new MockHttpServletRequest(method:'POST')
+        request.session.id = '123'
+        request.setParameter('username', 'user')
+        request.setParameter('password', 'password')
+        request.servletPath = '/login'
+
+        MockHttpServletResponse response = new MockHttpServletResponse()
+        MockFilterChain chain = new MockFilterChain()
+        httpAutoConfig {
+            'session-management'('session-fixation-protection': 'none')
+            csrf(disabled:true)
+        }
+        createAppContext()
+        request.session.id = '123'
+
+        when:
+        springSecurityFilterChain.doFilter(request,response, chain)
+
+        then:
+        request.session.id == '123'
+    }
+
+    def 'session-fixation-protection=migrateSession'() {
+        setup:
+        MockHttpServletRequest request = new MockHttpServletRequest(method:'POST')
+        request.session.id = '123'
+        request.setParameter('username', 'user')
+        request.setParameter('password', 'password')
+        request.servletPath = '/login'
+
+        MockHttpServletResponse response = new MockHttpServletResponse()
+        MockFilterChain chain = new MockFilterChain()
+        httpAutoConfig {
+            'session-management'('session-fixation-protection': 'migrateSession')
+            csrf(disabled:true)
+        }
+        createAppContext()
+        request.session.id = '123'
+
+        when:
+        springSecurityFilterChain.doFilter(request,response, chain)
+
+        then:
+        request.session.id != '123'
+    }
+
     def disablingSessionProtectionRetainsSessionManagementFilterInvalidSessionUrlSet() {
         httpAutoConfig {
             'session-management'('session-fixation-protection': 'none', 'invalid-session-url': '/timeoutUrl')