root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 6 Packages Projects Releases Wiki Activity

SEC-2156: AbstractSecurityWebApplicationInitializer configures SessionTrackingMode 

It also allows customization by overriding a method.
This commit is contained in:
Rob Winch 2013-07-19 17:07:18 -05:00
parent 90bd241ce2
commit ac053dbda7
2 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
web/src/main/java/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializer.java
View File

@ -17,12 +17,15 @@ package org.springframework.security.web.context;
import java.util.Arrays; import java.util.Arrays;
import java.util.EnumSet; import java.util.EnumSet;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.DispatcherType; import javax.servlet.DispatcherType;
import javax.servlet.Filter; import javax.servlet.Filter;
import javax.servlet.FilterRegistration.Dynamic; import javax.servlet.FilterRegistration.Dynamic;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import javax.servlet.ServletException; import javax.servlet.ServletException;
import javax.servlet.SessionTrackingMode;
import org.springframework.context.ApplicationContext; import org.springframework.context.ApplicationContext;
import org.springframework.core.Conventions; import org.springframework.core.Conventions;
@ -83,6 +86,7 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
if(enableHttpSessionEventPublisher()) { if(enableHttpSessionEventPublisher()) {
servletContext.addListener("org.springframework.security.web.session.HttpSessionEventPublisher"); servletContext.addListener("org.springframework.security.web.session.HttpSessionEventPublisher");
} }
servletContext.setSessionTrackingModes(getSessionTrackingModes());
insertSpringSecurityFilterChain(servletContext); insertSpringSecurityFilterChain(servletContext);
afterSpringSecurityFilterChain(servletContext); afterSpringSecurityFilterChain(servletContext);
} }
@ -207,6 +211,35 @@ public abstract class AbstractSecurityWebApplicationInitializer implements WebAp
return SERVLET_CONTEXT_PREFIX + dispatcherServletName; return SERVLET_CONTEXT_PREFIX + dispatcherServletName;
} }
/**
* Determines how a session should be tracked. By default, the following
* modes are used:
*
* <ul>
* <li> {@link SessionTrackingMode#COOKIE}</li>
* <li> {@link SessionTrackingMode#SSL}</li>
* </ul>
*
* <p>
* Note that {@link SessionTrackingMode#URL} is intentionally omitted to
* help protected against <a
* href="http://en.wikipedia.org/wiki/Session_fixation">session fixation
* attacks</a>.
* </p>
*
* <p>
* Subclasses can override this method to make customizations.
* </p>
*
* @return
*/
protected Set<SessionTrackingMode> getSessionTrackingModes() {
Set<SessionTrackingMode> modes = new HashSet<SessionTrackingMode>();
modes.add(SessionTrackingMode.COOKIE);
modes.add(SessionTrackingMode.SSL);
return modes;
}
/** /**
* Return the <servlet-name> to use the DispatcherServlet's * Return the <servlet-name> to use the DispatcherServlet's
* {@link WebApplicationContext} to find the {@link DelegatingFilterProxy} * {@link WebApplicationContext} to find the {@link DelegatingFilterProxy}

28
web/src/test/groovy/org/springframework/security/web/context/AbstractSecurityWebApplicationInitializerTests.groovy
View File

@ -21,6 +21,7 @@ import javax.servlet.DispatcherType;
import javax.servlet.Filter; import javax.servlet.Filter;
import javax.servlet.FilterRegistration; import javax.servlet.FilterRegistration;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
import javax.servlet.SessionTrackingMode;
import org.springframework.security.web.session.HttpSessionEventPublisher; import org.springframework.security.web.session.HttpSessionEventPublisher;
import org.springframework.web.filter.DelegatingFilterProxy; import org.springframework.web.filter.DelegatingFilterProxy;
@ -239,6 +240,33 @@ class AbstractSecurityWebApplicationInitializerTests extends Specification {
success.message == "filters cannot be null or empty" success.message == "filters cannot be null or empty"
} }
def "sessionTrackingModes defaults"() {
setup:
ServletContext context = Mock()
FilterRegistration.Dynamic registration = Mock()
when:
new AbstractSecurityWebApplicationInitializer(){ }.onStartup(context)
then:
1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 2 && modes.containsAll([SessionTrackingMode.COOKIE, SessionTrackingMode.SSL]) })
}
def "sessionTrackingModes override"() {
setup:
ServletContext context = Mock()
FilterRegistration.Dynamic registration = Mock()
when:
new AbstractSecurityWebApplicationInitializer(){
@Override
public Set<SessionTrackingMode> getSessionTrackingModes() {
return [SessionTrackingMode.COOKIE]
}
}.onStartup(context)
then:
1 * context.addFilter("springSecurityFilterChain", {DelegatingFilterProxy f -> f.targetBeanName == "springSecurityFilterChain" && f.contextAttribute == null}) >> registration
1 * context.setSessionTrackingModes({Set<SessionTrackingMode> modes -> modes.size() == 1 && modes.containsAll([SessionTrackingMode.COOKIE]) })
}
def "appendFilters filters with null"() { def "appendFilters filters with null"() {
setup: setup:
Filter filter1 = Mock() Filter filter1 = Mock()