Home Explore Help
Register Sign In
github
/
spring-security
mirror of https://github.com/spring-projects/spring-security
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

SEC-3170: Polish

* Prevent a null LogoutHandler from being set when RememberMeServices
does not implement LogoutHandler
* Fix test which invoked Mock from outside spock which failed
* Add explicit test for adding null LogoutHandler to
RememberMeConfigurer
Rob Winch 9 years ago
parent
b28c62a6fe
commit
337f1885ea
2 changed files with 18 additions and 7 deletions
Split View Show Diff Stats
  1. 1 1
      config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java
  2. 17 6
      config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.groovy

+ 1 - 1
config/src/main/java/org/springframework/security/config/annotation/web/configurers/RememberMeConfigurer.java
View File 

@@ -230,7 +230,7 @@ public final class RememberMeConfigurer<H extends HttpSecurityBuilder<H>> extend
 
 		RememberMeServices rememberMeServices = getRememberMeServices(http, key);
 
 		http.setSharedObject(RememberMeServices.class, rememberMeServices);
 
 		LogoutConfigurer<H> logoutConfigurer = http.getConfigurer(LogoutConfigurer.class);
 
-		if (logoutConfigurer != null) {
 
+		if (logoutConfigurer != null && logoutHandler != null) {
 
 			logoutConfigurer.addLogoutHandler(logoutHandler);
 
 		}

+ 17 - 6
config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.groovy
View File 

@@ -23,6 +23,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
 
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
 
+import org.springframework.security.config.annotation.web.configurers.LogoutConfigurerTests.RememberMeNoLogoutHandler;
 
 import org.springframework.security.web.authentication.RememberMeServices
 
 import org.springframework.security.web.authentication.logout.LogoutFilter
 
 
@@ -114,24 +115,34 @@ class LogoutConfigurerTests extends BaseSpringSpec {
 
 		}
 
 	}
 
 
-	def "SEC-3170: LogoutConfigurer allows null LogoutHandler"() {
 
-		when:
 
+	def "SEC-3170: LogoutConfigurer RememberMeService not LogoutHandler"() {
 
+		setup:
 
+			RememberMeNoLogoutHandler.REMEMBER_ME = Mock(RememberMeServices)
 
 			loadConfig(RememberMeNoLogoutHandler)
 
-			request.method = "GET"
 
+			request.method = "POST"
 
 			request.servletPath = "/logout"
 
-			findFilter(LogoutFilter).doFilter(request, response, chain)
 
+		when:
 
+			findFilter(LogoutFilter).doFilter(request,response,chain)
 
+		then:
 
+			response.redirectedUrl == "/login?logout"
 
+	}
 
+
 
+	def "SEC-3170: LogoutConfigurer prevents null LogoutHandler"() {
 
+		when:
 
+			new LogoutConfigurer().addLogoutHandler(null)
 
 		then:
 
-			thrown(BeanCreationException)
 
+			thrown(IllegalArgumentException)
 
 	}
 
 
 	@EnableWebSecurity
 
 	static class RememberMeNoLogoutHandler extends WebSecurityConfigurerAdapter {
 
+		static RememberMeServices REMEMBER_ME
 
 
 		@Override
 
 		protected void configure(HttpSecurity http) throws Exception {
 
 			http
 
 					.rememberMe()
 
-					.rememberMeServices(Mock(RememberMeServices))
 
+					.rememberMeServices(REMEMBER_ME)
 
 		}
 
 	}
 
 }