Inicio Explorar Axuda
Rexistro Iniciar sesión
github
/
spring-security
réplica de https://github.com/spring-projects/spring-security
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Explorar o código

Updated integration tests to detect case reported as SPR-7563.

Luke Taylor %!s(int64=15) %!d(string=hai) anos
pai
265cdaf2a6
achega
8d867e8b67
Modificáronse 8 ficheiros con 108 adicións e 32 borrados
Unificar vista Mostrar estatísticas de Diff
  1. 32 0
      itest/web/src/main/webapp/WEB-INF/http-security-concurrency.xml
  2. 1 0
      itest/web/src/main/webapp/WEB-INF/http-security-custom-concurrency.xml
  3. 3 7
      itest/web/src/main/webapp/login.jsp
  4. 1 1
      itest/web/src/test/java/org/springframework/security/integration/AbstractWebServerIntegrationTests.java
  5. 44 0
      itest/web/src/test/java/org/springframework/security/integration/ConcurrentSessionManagementTests.java
  6. 20 0
      itest/web/src/test/java/org/springframework/security/integration/CustomConcurrentSessionManagementTests.java
  7. 0 22
      itest/web/src/test/java/org/springframework/security/integration/InMemoryProviderWebAppTests.java
  8. 7 2
      web/src/main/java/org/springframework/security/web/authentication/logout/SecurityContextLogoutHandler.java

+ 32 - 0
itest/web/src/main/webapp/WEB-INF/http-security-concurrency.xml
Ver ficheiro 

@@ -0,0 +1,32 @@
 
+<?xml version="1.0" encoding="UTF-8"?>
 
+
 
+<beans:beans xmlns="http://www.springframework.org/schema/security"
 
+    xmlns:beans="http://www.springframework.org/schema/beans"
 
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
 
+                        http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd">
 
+
 
+    <debug />
 
+
 
+    <!--
 
+       Http App Context to test form login, remember-me and concurrent session control.
 
+       Needs to be supplemented with authentication provider(s)
 
+    -->
 
+    <http pattern="/login.jsp" security="none" />
 
+
 
+    <http use-expressions="true">
 
+        <intercept-url pattern="/secure/**" access="hasAnyRole('ROLE_DEVELOPER','ROLE_USER')" />
 
+        <intercept-url pattern="/**" access="hasAnyRole('ROLE_DEVELOPER','ROLE_USER')" />
 
+
 
+        <form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?login_error=true"/>
 
+        <http-basic/>
 
+
 
+        <!-- Default logout configuration -->
 
+        <logout logout-url="/logout"/>
 
+
 
+        <session-management>
 
+            <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
 
+        </session-management>
 
+    </http>
 
+
 
+</beans:beans>

+ 1 - 0
itest/web/src/main/webapp/WEB-INF/http-security-custom-concurrency.xml
Ver ficheiro 

@@ -12,6 +12,7 @@
 
         <intercept-url pattern="/**" access="ROLE_DEVELOPER,ROLE_USER" />
 
         <intercept-url pattern="/**" access="ROLE_DEVELOPER,ROLE_USER" />
 
 
 
         <session-management session-authentication-strategy-ref="sas"/>
 
         <session-management session-authentication-strategy-ref="sas"/>
 
+        <logout />
 
 
 
         <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
 
         <custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
 
         <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />
 
         <custom-filter position="FORM_LOGIN_FILTER" ref="myAuthFilter" />

+ 3 - 7
itest/web/src/main/webapp/login.jsp
Ver ficheiro 

@@ -1,5 +1,3 @@
 
-<!-- %@ taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" % -->
 
-
 
 <!-- Not used unless you declare a <form-login login-page="/login.jsp"/> element -->
 
 <!-- Not used unless you declare a <form-login login-page="/login.jsp"/> element -->
 
 
 
 <html>
 
 <html>
 
@@ -11,13 +9,11 @@
 
   <h1>Custom Spring Security Login</h1>
 
   <h1>Custom Spring Security Login</h1>
 
 
 
 <%
 
 <%
 
-	if (request.getParameter("login_error") != null) {
 
+  if (request.getParameter("login_error") != null) {
 
 %>
 
 %>
 
-      <font color="red">
 
-        Your login attempt was not successful, try again.<br/><br/>
 
-      </font>
 
+Your login attempt was not successful, try again. ${SPRING_SECURITY_LAST_EXCEPTION.message}<br/><br/>
 
 <%
 
 <%
 
-	}
 
+  }
 
 %>
 
 %>
 
 
 
 <form action="j_spring_security_check" method="POST">
 
 <form action="j_spring_security_check" method="POST">

+ 1 - 1
itest/web/src/test/java/org/springframework/security/integration/AbstractWebServerIntegrationTests.java
Ver ficheiro 

@@ -108,7 +108,7 @@ public abstract class AbstractWebServerIntegrationTests {
 
         return getAppContext().getBean(beanName);
 
         return getAppContext().getBean(beanName);
 
     }
 
     }
 
 
 
-    private WebApplicationContext getAppContext() {
 
+    protected final WebApplicationContext getAppContext() {
 
         ServletContext servletCtx = ((WebAppContext)server.getHandler()).getServletContext();
 
         ServletContext servletCtx = ((WebAppContext)server.getHandler()).getServletContext();
 
         WebApplicationContext appCtx =
 
         WebApplicationContext appCtx =
 
                 WebApplicationContextUtils.getRequiredWebApplicationContext(servletCtx);
 
                 WebApplicationContextUtils.getRequiredWebApplicationContext(servletCtx);

+ 44 - 0
itest/web/src/test/java/org/springframework/security/integration/ConcurrentSessionManagementTests.java
Ver ficheiro 

@@ -0,0 +1,44 @@
 
+package org.springframework.security.integration;
 
+
 
+import net.sourceforge.jwebunit.junit.WebTester;
 
+import org.testng.annotations.Test;
 
+
 
+/**
 
+ * @author Luke Taylor
 
+ */
 
+public class ConcurrentSessionManagementTests extends AbstractWebServerIntegrationTests {
 
+
 
+    protected String getContextConfigLocations() {
 
+        return "/WEB-INF/http-security-concurrency.xml /WEB-INF/in-memory-provider.xml";
 
+    }
 
+
 
+    @Test
 
+    public void maxConcurrentLoginsValueIsRespected() throws Exception {
 
+        System.out.println("Client: ******* First login ******* ");
 
+        beginAt("secure/index.html");
 
+        login("jimi", "jimispassword");
 
+        // Login again
 
+        System.out.println("Client: ******* Second login ******* ");
 
+        WebTester tester2 = new WebTester();
 
+        tester2.getTestContext().setBaseUrl(getBaseUrl());
 
+        tester2.beginAt("secure/index.html");
 
+        // seems to be a bug in checking for form here (it fails)
 
+        //tester2.assertFormPresent();
 
+        tester2.setTextField("j_username", "jimi");
 
+        tester2.setTextField("j_password", "jimispassword");
 
+        // tester2.submit() also fails to detect the form
 
+        tester2.getTestingEngine().submit();
 
+        tester2.assertTextPresent("Maximum sessions of 1 for this principal exceeded");
 
+
 
+        // Now logout to kill first session
 
+        tester.gotoPage("/logout");
 
+
 
+
 
+        // Try second session again
 
+        tester2.setTextField("j_username", "jimi");
 
+        tester2.setTextField("j_password", "jimispassword");
 
+        // tester2.submit() also fails to detect the form
 
+        tester2.getTestingEngine().submit();
 
+        tester2.assertTextPresent("A Secure Page");
 
+    }
 
+}

+ 20 - 0
itest/web/src/test/java/org/springframework/security/integration/CustomConcurrentSessionManagementTests.java
Ver ficheiro 

@@ -3,6 +3,7 @@ package org.springframework.security.integration;
 
 import net.sourceforge.jwebunit.junit.WebTester;
 
 import net.sourceforge.jwebunit.junit.WebTester;
 
 
 
 import org.junit.Assert;
 
 import org.junit.Assert;
 
+import org.springframework.security.core.session.SessionRegistry;
 
 import org.testng.annotations.Test;
 
 import org.testng.annotations.Test;
 
 
 
 /**
 
 /**
 
@@ -30,4 +31,23 @@ public class CustomConcurrentSessionManagementTests extends AbstractWebServerInt
 
         Assert.assertTrue(tester2.getServerResponse().contains("Maximum sessions of 1 for this principal exceeded"));
 
         Assert.assertTrue(tester2.getServerResponse().contains("Maximum sessions of 1 for this principal exceeded"));
 
     }
 
     }
 
 
 
+    @Test
 
+    public void logoutClearsSessionRegistryAndAllowsSecondLogin() throws Exception {
 
+        beginAt("secure/index.html");
 
+        login("bessie", "bessiespassword");
 
+        SessionRegistry reg = getAppContext().getBean(SessionRegistry.class);
 
+
 
+        tester.gotoPage("/j_spring_security_logout");
 
+
 
+        // Login again
 
+        System.out.println("Client: ******* Second login ******* ");
 
+        WebTester tester2 = new WebTester();
 
+        tester2.getTestContext().setBaseUrl(getBaseUrl());
 
+        tester2.beginAt("secure/index.html");
 
+        tester2.setTextField("j_username", "bessie");
 
+        tester2.setTextField("j_password", "bessiespassword");
 
+        tester2.setIgnoreFailingStatusCodes(true);
 
+        tester2.submit();
 
+        Assert.assertTrue(tester2.getServerResponse().contains("A secure page"));
 
+    }
 
 }
 
 }

+ 0 - 22
itest/web/src/test/java/org/springframework/security/integration/InMemoryProviderWebAppTests.java
Ver ficheiro 

@@ -72,26 +72,4 @@ public class InMemoryProviderWebAppTests extends AbstractWebServerIntegrationTes
 
         beginAt("secure/index.html");
 
         beginAt("secure/index.html");
 
         assertTextPresent("A Secure Page");
 
         assertTextPresent("A Secure Page");
 
     }
 
     }
 
-
 
-    @Test
 
-    public void maxConcurrentLoginsValueIsRespected() throws Exception {
 
-        System.out.println("Client: ******* First login ******* ");
 
-        beginAt("secure/index.html");
 
-        login("jimi", "jimispassword");
 
-        // Login again
 
-        System.out.println("Client: ******* Second login ******* ");
 
-        WebTester tester2 = new WebTester();
 
-        tester2.getTestContext().setBaseUrl(getBaseUrl());
 
-        tester2.beginAt("secure/index.html");
 
-        // seems to be a bug in checking for form here (it fails)
 
-        //tester2.assertFormPresent();
 
-        tester2.setTextField("j_username", "jimi");
 
-        tester2.setTextField("j_password", "jimispassword");
 
-        // tester2.submit() also fails to detect the form
 
-        tester2.getTestingEngine().submit();
 
-        // Try an use the original
 
-        System.out.println("Client: ******* Retry Original Session ******* ");
 
-        tester.gotoPage("secure/index.html");
 
-        tester.assertTextPresent("This session has been expired");
 
-    }
 
 }
 
 }

+ 7 - 2
web/src/main/java/org/springframework/security/web/authentication/logout/SecurityContextLogoutHandler.java
Ver ficheiro 

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.authentication.logout;
 
 package org.springframework.security.web.authentication.logout;
 
 
 
 
 
+import org.apache.commons.logging.Log;
 
+import org.apache.commons.logging.LogFactory;
 
 import org.springframework.security.core.Authentication;
 
 import org.springframework.security.core.Authentication;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import org.springframework.security.core.context.SecurityContextHolder;
 
 import org.springframework.util.Assert;
 
 import org.springframework.util.Assert;
 
@@ -27,12 +29,14 @@ import javax.servlet.http.HttpSession;
 
 /**
 
 /**
 
  * Performs a logout by modifying the {@link org.springframework.security.core.context.SecurityContextHolder}.
 
  * Performs a logout by modifying the {@link org.springframework.security.core.context.SecurityContextHolder}.
 
  * <p>
 
  * <p>
 
- * Will also invalidate the {@link HttpSession} if {@link #isInvalidateHttpSession()} is <code>true</code> and the
 
- * session is not <code>null</code>.
 
+ * Will also invalidate the {@link HttpSession} if {@link #isInvalidateHttpSession()} is {@code true} and the
 
+ * session is not {@code null}.
 
  *
 
  *
 
  * @author Ben Alex
 
  * @author Ben Alex
 
  */
 
  */
 
 public class SecurityContextLogoutHandler implements LogoutHandler {
 
 public class SecurityContextLogoutHandler implements LogoutHandler {
 
+    protected final Log logger = LogFactory.getLog(this.getClass());
 
+
 
     private boolean invalidateHttpSession = true;
 
     private boolean invalidateHttpSession = true;
 
 
 
     //~ Methods ========================================================================================================
 
     //~ Methods ========================================================================================================
 
@@ -49,6 +53,7 @@ public class SecurityContextLogoutHandler implements LogoutHandler {
 
         if (invalidateHttpSession) {
 
         if (invalidateHttpSession) {
 
             HttpSession session = request.getSession(false);
 
             HttpSession session = request.getSession(false);
 
             if (session != null) {
 
             if (session != null) {
 
+                logger.debug("Invalidating session: " + session.getId());
 
                 session.invalidate();
 
                 session.invalidate();
 
             }
 
             }
 
         }
 
         }