15 年之前 · 8d867e8b67
--- a/itest/web/src/main/webapp/WEB-INF/http-security-concurrency.xml
+++ b/itest/web/src/main/webapp/WEB-INF/http-security-concurrency.xml
@@ -0,0 +1,32 @@
 
				+<?xml version="1.0" encoding="UTF-8"?>
			
 
				+
			
 
				+<beans:beans xmlns="http://www.springframework.org/schema/security"
			
 
				+    xmlns:beans="http://www.springframework.org/schema/beans"
			
 
				+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
			
 
				+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
			
 
				+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
			
 
				+
			
 
				+    <debug />
			
 
				+
			
 
				+    <!--
			
 
				+       Http App Context to test form login, remember-me and concurrent session control.
			
 
				+       Needs to be supplemented with authentication provider(s)
			
 
				+    -->
			
 
				+    <http pattern="/login.jsp" security="none" />
			
 
				+
			
 
				+    <http use-expressions="true">
			
 
				+        <intercept-url pattern="/secure/**" access="hasAnyRole('ROLE_DEVELOPER','ROLE_USER')" />
			
 
				+        <intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER','ROLE_USER')" />
			
 
				+
			
 
				+        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=true"/>
			
 
				+        <http-basic/>
			
 
				+
			
 
				+        <!-- Default logout configuration -->
			
 
				+        <logout logout-url="/logout"/>
			
 
				+
			
 
				+        <session-management>
			
 
				+            <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
			
 
				+        </session-management>
			
 
				+    </http>
			
 
				+
			
 
				+</beans:beans>
			
--- a/itest/web/src/main/webapp/WEB-INF/http-security-custom-concurrency.xml
+++ b/itest/web/src/main/webapp/WEB-INF/http-security-custom-concurrency.xml
@@ -12,6 +12,7 @@
 
				         <intercept-url pattern="/**" access="ROLE_DEVELOPER,ROLE_USER" />
			
 
				 
			
 
				         <session-management session-authentication-strategy-ref="sas"/>
			
 
				+        <logout />
			
 
				 
			
 
				         <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
			
 
				         <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
			
--- a/itest/web/src/main/webapp/login.jsp
+++ b/itest/web/src/main/webapp/login.jsp
@@ -1,5 +1,3 @@
 
				-<!-- %@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" % -->
			
 
				-
			
 
				 <!-- Not used unless you declare a <form-login login-page="/login.jsp"/> element -->
			
 
				 
			
 
				 <html>
			
@@ -11,13 +9,11 @@
 
				   <h1>Custom Spring Security Login</h1>
			
 
				 
			
 
				 <%
			
 
				-	if (request.getParameter("login_error") != null) {
			
 
				+  if (request.getParameter("login_error") != null) {
			
 
				 %>
			
 
				-      <font color="red">
			
 
				-        Your login attempt was not successful, try again.<br/><br/>
			
 
				-      </font>
			
 
				+Your login attempt was not successful, try again. ${SPRING_SECURITY_LAST_EXCEPTION.message}<br/><br/>
			
 
				 <%
			
 
				-	}
			
 
				+  }
			
 
				 %>
			
 
				 
			
 
				 <form action="j_spring_security_check" method="POST">
			
--- a/itest/web/src/test/java/org/springframework/security/integration/AbstractWebServerIntegrationTests.java
+++ b/itest/web/src/test/java/org/springframework/security/integration/AbstractWebServerIntegrationTests.java
@@ -108,7 +108,7 @@ public abstract class AbstractWebServerIntegrationTests {
 
				         return getAppContext().getBean(beanName);
			
 
				     }
			
 
				 
			
 
				-    private WebApplicationContext getAppContext() {
			
 
				+    protected final WebApplicationContext getAppContext() {
			
 
				         ServletContext servletCtx = ((WebAppContext)server.getHandler()).getServletContext();
			
 
				         WebApplicationContext appCtx =
			
 
				                 WebApplicationContextUtils.getRequiredWebApplicationContext(servletCtx);
			
--- a/itest/web/src/test/java/org/springframework/security/integration/ConcurrentSessionManagementTests.java
+++ b/itest/web/src/test/java/org/springframework/security/integration/ConcurrentSessionManagementTests.java
@@ -0,0 +1,44 @@
 
				+package org.springframework.security.integration;
			
 
				+
			
 
				+import net.sourceforge.jwebunit.junit.WebTester;
			
 
				+import org.testng.annotations.Test;
			
 
				+
			
 
				+/**
			
 
				+ * @author Luke Taylor
			
 
				+ */
			
 
				+public class ConcurrentSessionManagementTests extends AbstractWebServerIntegrationTests {
			
 
				+
			
 
				+    protected String getContextConfigLocations() {
			
 
				+        return "/WEB-INF/http-security-concurrency.xml /WEB-INF/in-memory-provider.xml";
			
 
				+    }
			
 
				+
			
 
				+    @Test
			
 
				+    public void maxConcurrentLoginsValueIsRespected() throws Exception {
			
 
				+        System.out.println("Client: ******* First login ******* ");
			
 
				+        beginAt("secure/index.html");
			
 
				+        login("jimi", "jimispassword");
			
 
				+        // Login again
			
 
				+        System.out.println("Client: ******* Second login ******* ");
			
 
				+        WebTester tester2 = new WebTester();
			
 
				+        tester2.getTestContext().setBaseUrl(getBaseUrl());
			
 
				+        tester2.beginAt("secure/index.html");
			
 
				+        // seems to be a bug in checking for form here (it fails)
			
 
				+        //tester2.assertFormPresent();
			
 
				+        tester2.setTextField("j_username", "jimi");
			
 
				+        tester2.setTextField("j_password", "jimispassword");
			
 
				+        // tester2.submit() also fails to detect the form
			
 
				+        tester2.getTestingEngine().submit();
			
 
				+        tester2.assertTextPresent("Maximum sessions of 1 for this principal exceeded");
			
 
				+
			
 
				+        // Now logout to kill first session
			
 
				+        tester.gotoPage("/logout");
			
 
				+
			
 
				+
			
 
				+        // Try second session again
			
 
				+        tester2.setTextField("j_username", "jimi");
			
 
				+        tester2.setTextField("j_password", "jimispassword");
			
 
				+        // tester2.submit() also fails to detect the form
			
 
				+        tester2.getTestingEngine().submit();
			
 
				+        tester2.assertTextPresent("A Secure Page");
			
 
				+    }
			
 
				+}
			
--- a/itest/web/src/test/java/org/springframework/security/integration/CustomConcurrentSessionManagementTests.java
+++ b/itest/web/src/test/java/org/springframework/security/integration/CustomConcurrentSessionManagementTests.java
@@ -3,6 +3,7 @@ package org.springframework.security.integration;
 
				 import net.sourceforge.jwebunit.junit.WebTester;
			
 
				 
			
 
				 import org.junit.Assert;
			
 
				+import org.springframework.security.core.session.SessionRegistry;
			
 
				 import org.testng.annotations.Test;
			
 
				 
			
 
				 /**
			
@@ -30,4 +31,23 @@ public class CustomConcurrentSessionManagementTests extends AbstractWebServerInt
 
				         Assert.assertTrue(tester2.getServerResponse().contains("Maximum sessions of 1 for this principal exceeded"));
			
 
				     }
			
 
				 
			
 
				+    @Test
			
 
				+    public void logoutClearsSessionRegistryAndAllowsSecondLogin() throws Exception {
			
 
				+        beginAt("secure/index.html");
			
 
				+        login("bessie", "bessiespassword");
			
 
				+        SessionRegistry reg = getAppContext().getBean(SessionRegistry.class);
			
 
				+
			
 
				+        tester.gotoPage("/j_spring_security_logout");
			
 
				+
			
 
				+        // Login again
			
 
				+        System.out.println("Client: ******* Second login ******* ");
			
 
				+        WebTester tester2 = new WebTester();
			
 
				+        tester2.getTestContext().setBaseUrl(getBaseUrl());
			
 
				+        tester2.beginAt("secure/index.html");
			
 
				+        tester2.setTextField("j_username", "bessie");
			
 
				+        tester2.setTextField("j_password", "bessiespassword");
			
 
				+        tester2.setIgnoreFailingStatusCodes(true);
			
 
				+        tester2.submit();
			
 
				+        Assert.assertTrue(tester2.getServerResponse().contains("A secure page"));
			
 
				+    }
			
 
				 }
			
--- a/itest/web/src/test/java/org/springframework/security/integration/InMemoryProviderWebAppTests.java
+++ b/itest/web/src/test/java/org/springframework/security/integration/InMemoryProviderWebAppTests.java
@@ -72,26 +72,4 @@ public class InMemoryProviderWebAppTests extends AbstractWebServerIntegrationTes
 
				         beginAt("secure/index.html");
			
 
				         assertTextPresent("A Secure Page");
			
 
				     }
			
 
				-
			
 
				-    @Test
			
 
				-    public void maxConcurrentLoginsValueIsRespected() throws Exception {
			
 
				-        System.out.println("Client: ******* First login ******* ");
			
 
				-        beginAt("secure/index.html");
			
 
				-        login("jimi", "jimispassword");
			
 
				-        // Login again
			
 
				-        System.out.println("Client: ******* Second login ******* ");
			
 
				-        WebTester tester2 = new WebTester();
			
 
				-        tester2.getTestContext().setBaseUrl(getBaseUrl());
			
 
				-        tester2.beginAt("secure/index.html");
			
 
				-        // seems to be a bug in checking for form here (it fails)
			
 
				-        //tester2.assertFormPresent();
			
 
				-        tester2.setTextField("j_username", "jimi");
			
 
				-        tester2.setTextField("j_password", "jimispassword");
			
 
				-        // tester2.submit() also fails to detect the form
			
 
				-        tester2.getTestingEngine().submit();
			
 
				-        // Try an use the original
			
 
				-        System.out.println("Client: ******* Retry Original Session ******* ");
			
 
				-        tester.gotoPage("secure/index.html");
			
 
				-        tester.assertTextPresent("This session has been expired");
			
 
				-    }
			
 
				 }
			
--- a/web/src/main/java/org/springframework/security/web/authentication/logout/SecurityContextLogoutHandler.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/logout/SecurityContextLogoutHandler.java
@@ -16,6 +16,8 @@
 
				 package org.springframework.security.web.authentication.logout;
			
 
				 
			
 
				 
			
 
				+import org.apache.commons.logging.Log;
			
 
				+import org.apache.commons.logging.LogFactory;
			
 
				 import org.springframework.security.core.Authentication;
			
 
				 import org.springframework.security.core.context.SecurityContextHolder;
			
 
				 import org.springframework.util.Assert;
			
@@ -27,12 +29,14 @@ import javax.servlet.http.HttpSession;
 
				 /**
			
 
				  * Performs a logout by modifying the {@link org.springframework.security.core.context.SecurityContextHolder}.
			
 
				  * <p>
			
 
				- * Will also invalidate the {@link HttpSession} if {@link #isInvalidateHttpSession()} is <code>true</code> and the
			
 
				- * session is not <code>null</code>.
			
 
				+ * Will also invalidate the {@link HttpSession} if {@link #isInvalidateHttpSession()} is {@code true} and the
			
 
				+ * session is not {@code null}.
			
 
				  *
			
 
				  * @author Ben Alex
			
 
				  */
			
 
				 public class SecurityContextLogoutHandler implements LogoutHandler {
			
 
				+    protected final Log logger = LogFactory.getLog(this.getClass());
			
 
				+
			
 
				     private boolean invalidateHttpSession = true;
			
 
				 
			
 
				     //~ Methods ========================================================================================================
			
@@ -49,6 +53,7 @@ public class SecurityContextLogoutHandler implements LogoutHandler {
 
				         if (invalidateHttpSession) {
			
 
				             HttpSession session = request.getSession(false);
			
 
				             if (session != null) {
			
 
				+                logger.debug("Invalidating session: " + session.getId());
			
 
				                 session.invalidate();
			
 
				             }
			
 
				         }