Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Remove Resource Server's Session Policy Config

Resource Server doesn't need to set the session policy for the
application to STATELESS since it can rely on the
SessionManagementFilter ignoring token's annotated with @Transient,
which a JwtAuthenticationToken is.

Fixes: gh-5759
Josh Cummings 7 years ago
parent
5141dacd95
commit
25d1f49d84
2 changed files with 50 additions and 14 deletions
Split View Show Diff Stats
  1. 0 12
      config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
  2. 50 2
      config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java

+ 0 - 12
config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
View File 

@@ -158,12 +158,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 		return this.jwtConfigurer;
 
 	}
 
 
-	@Override
 
-	public void setBuilder(H http) {
 
-		super.setBuilder(http);
 
-		initSessionCreationPolicy(http);
 
-	}
 
-
 
 	@Override
 
 	public void init(H http) throws Exception {
 
 		registerDefaultAccessDeniedHandler(http);
 
@@ -252,12 +246,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 
 		}
 
 	}
 
 
-	private void initSessionCreationPolicy(H http) {
 
-		if (http.getSharedObject(SessionCreationPolicy.class) == null) {
 
-			http.setSharedObject(SessionCreationPolicy.class, SessionCreationPolicy.STATELESS);
 
-		}
 
-	}
 
-
 
 	private void registerDefaultAccessDeniedHandler(H http) {
 
 		ExceptionHandlingConfigurer<H> exceptionHandling = http
 
 				.getConfigurer(ExceptionHandlingConfigurer.class);

+ 50 - 2
config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
View File 

@@ -115,6 +115,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
 
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
 
@@ -525,7 +526,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 	}
 
 
 	@Test
 
-	public void requestWhenUsingDefaultsAndNoBearerTokenThenSessionIsNotCreated()
 
+	public void requestWhenUsingDefaultsAndNoBearerTokenThenSessionIsCreated()
 
 			throws Exception {
 
 
 		this.spring.register(DefaultConfig.class, BasicController.class).autowire();
 
@@ -534,7 +535,7 @@ public class OAuth2ResourceServerConfigurerTests {
 
 				.andExpect(status().isUnauthorized())
 
 				.andReturn();
 
 
-		assertThat(result.getRequest().getSession(false)).isNull();
 
+		assertThat(result.getRequest().getSession(false)).isNotNull();
 
 	}
 
 
 	@Test
 
@@ -971,6 +972,32 @@ public class OAuth2ResourceServerConfigurerTests {
 
 				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, startsWith("Bearer")));
 
 	}
 
 
+	@Test
 
+	public void requestWhenFormLoginAndResourceServerEntryPointsThenSessionCreatedByRequest()
 
+			throws Exception {
 
+
 
+		this.spring.register(FormAndResourceServerConfig.class, JwtDecoderConfig.class).autowire();
 
+
 
+		JwtDecoder decoder = this.spring.getContext().getBean(JwtDecoder.class);
 
+		when(decoder.decode(anyString())).thenThrow(JwtException.class);
 
+
 
+		MvcResult result =
 
+				this.mvc.perform(get("/authenticated"))
 
+						.andExpect(status().isFound())
 
+						.andExpect(redirectedUrl("http://localhost/login"))
 
+						.andReturn();
 
+
 
+		assertThat(result.getRequest().getSession(false)).isNotNull();
 
+
 
+		result =
 
+				this.mvc.perform(get("/authenticated")
 
+						.with(bearerToken("token")))
 
+						.andExpect(status().isUnauthorized())
 
+						.andReturn();
 
+
 
+		assertThat(result.getRequest().getSession(false)).isNull();
 
+	}
 
+
 
 	@Test
 
 	public void requestWhenDefaultAndResourceServerAccessDeniedHandlersThenMatchedByRequest()
 
 			throws Exception {
 
@@ -1260,6 +1287,27 @@ public class OAuth2ResourceServerConfigurerTests {
 
 		}
 
 	}
 
 
+	@EnableWebSecurity
 
+	static class FormAndResourceServerConfig extends WebSecurityConfigurerAdapter {
 
+		@Override
 
+		protected void configure(HttpSecurity http) throws Exception {
 
+			// @formatter:off
 
+			http
 
+				.authorizeRequests()
 
+					.anyRequest().authenticated()
 
+					.and()
 
+				.formLogin()
 
+					.and()
 
+				.oauth2ResourceServer()
 
+					.jwt();
 
+		}
 
+
 
+		@Bean
 
+		JwtDecoder jwtDecoder() {
 
+			return mock(JwtDecoder.class);
 
+		}
 
+	}
 
+
 
 	@EnableWebSecurity
 
 	static class JwtHalfConfiguredConfig extends WebSecurityConfigurerAdapter {
 
 		@Override