9 vuotta sitten · 51995dc187
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
@@ -126,6 +126,19 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
				 		return this;
			
 
				 	}
			
 
				 
			
 
				+	/**
			
 
				+	 * Setting this attribute will inject the provided invalidSessionStrategy into the
			
 
				+	 * {@link SessionManagementFilter}. When an invalid session ID is submitted, the
			
 
				+	 * strategy will be invoked, redirecting to the configured URL.
			
 
				+	 * @param invalidSessionStrategy the strategy to use when an invalid session ID is submitted.
			
 
				+	 * @return the {@link SessionManagementConfigurer} for further customization
			
 
				+	 */
			
 
				+	public SessionManagementConfigurer<H> invalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy) {
			
 
				+		Assert.notNull(invalidSessionStrategy, "invalidSessionStrategy");
			
 
				+		this.invalidSessionStrategy = invalidSessionStrategy;
			
 
				+		return this;
			
 
				+	}
			
 
				+
			
 
				 	/**
			
 
				 	 * Defines the URL of the error page which should be shown when the
			
 
				 	 * SessionAuthenticationStrategy raises an exception. If not set, an unauthorized
			
@@ -401,9 +414,10 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
				 					.setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler(
			
 
				 							sessionAuthenticationErrorUrl));
			
 
				 		}
			
 
				-		if (invalidSessionUrl != null) {
			
 
				+		InvalidSessionStrategy strategy = getInvalidSessionStrategy();
			
 
				+		if (strategy != null) {
			
 
				 			sessionManagementFilter
			
 
				-					.setInvalidSessionStrategy(getInvalidSessionStrategy());
			
 
				+					.setInvalidSessionStrategy(strategy);
			
 
				 		}
			
 
				 		AuthenticationTrustResolver trustResolver = http
			
 
				 				.getSharedObject(AuthenticationTrustResolver.class);
			
@@ -422,16 +436,17 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
				 	}
			
 
				 
			
 
				 	/**
			
 
				-	 * Gets the {@link InvalidSessionStrategy} to use. If {@link #invalidSessionUrl} is
			
 
				-	 * null, returns null otherwise {@link SimpleRedirectInvalidSessionStrategy} is used.
			
 
				+	 * Gets the {@link InvalidSessionStrategy} to use. If null and
			
 
				+	 * {@link #invalidSessionUrl} is not null defaults to
			
 
				+	 * {@link SimpleRedirectInvalidSessionStrategy}.
			
 
				 	 *
			
 
				 	 * @return the {@link InvalidSessionStrategy} to use
			
 
				 	 */
			
 
				 	InvalidSessionStrategy getInvalidSessionStrategy() {
			
 
				-		if (invalidSessionUrl == null) {
			
 
				-			return null;
			
 
				+		if(invalidSessionStrategy != null) {
			
 
				+			return invalidSessionStrategy;
			
 
				 		}
			
 
				-		if (invalidSessionStrategy == null) {
			
 
				+		if (invalidSessionUrl != null) {
			
 
				 			invalidSessionStrategy = new SimpleRedirectInvalidSessionStrategy(
			
 
				 					invalidSessionUrl);
			
 
				 		}
			
--- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.groovy
+++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.groovy
@@ -32,6 +32,7 @@ import org.springframework.security.web.authentication.session.SessionFixationPr
 
				 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy
			
 
				 import org.springframework.security.web.session.ConcurrentSessionFilter
			
 
				 import org.springframework.security.web.session.SessionManagementFilter
			
 
				+import org.springframework.security.web.session.InvalidSessionStrategy
			
 
				 
			
 
				 /**
			
 
				  *
			
@@ -85,6 +86,28 @@ class NamespaceSessionManagementTests extends BaseSpringSpec {
 
				 		}
			
 
				 	}
			
 
				 
			
 
				+	// gh-3371
			
 
				+	def "http/session-management custom invalidationstrategy"() {
			
 
				+		setup:
			
 
				+			InvalidSessionStrategyConfig.ISS = Mock(InvalidSessionStrategy)
			
 
				+		when:
			
 
				+			loadConfig(InvalidSessionStrategyConfig)
			
 
				+		then:
			
 
				+			findFilter(SessionManagementFilter).invalidSessionStrategy == InvalidSessionStrategyConfig.ISS
			
 
				+	}
			
 
				+
			
 
				+	@EnableWebSecurity
			
 
				+	static class InvalidSessionStrategyConfig extends WebSecurityConfigurerAdapter {
			
 
				+		static InvalidSessionStrategy ISS
			
 
				+
			
 
				+		@Override
			
 
				+		protected void configure(HttpSecurity http) throws Exception {
			
 
				+			http
			
 
				+				.sessionManagement()
			
 
				+					.invalidSessionStrategy(ISS)
			
 
				+		}
			
 
				+	}
			
 
				+
			
 
				 	def "http/session-management refs"() {
			
 
				 		setup:
			
 
				 			RefsSessionManagementConfig.SAS = Mock(SessionAuthenticationStrategy)