SEC-2239: Remove duplicate SessionCreationPolicy

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java

@@ -17,6 +17,7 @@ package org.springframework.security.config.annotation.web.configurers;
 
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
@@ -86,7 +87,7 @@ public final class SecurityContextConfigurer<H extends HttpSecurityBuilder<H>> e
         SessionManagementConfigurer<?> sessionManagement = http.getConfigurer(SessionManagementConfigurer.class);
         SessionCreationPolicy sessionCreationPolicy = sessionManagement == null ? null
                 : sessionManagement.getSessionCreationPolicy();
-        if (SessionCreationPolicy.always == sessionCreationPolicy) {
+        if (SessionCreationPolicy.ALWAYS == sessionCreationPolicy) {
             securityContextFilter.setForceEagerSessionCreation(true);
         }
         securityContextFilter = postProcess(securityContextFilter);

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionCreationPolicy.java

@@ -1,39 +0,0 @@
-/*
- * Copyright 2002-2013 the original author or authors.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.springframework.security.config.annotation.web.configurers;
-
-import javax.servlet.http.HttpSession;
-
-import org.springframework.security.core.context.SecurityContext;
-
-/**
- * Specifies the various session creation policies for Spring Security.
- *
- * FIXME this should be removed once {@link org.springframework.security.config.http.SessionCreationPolicy} is made public.
- *
- * @author Rob Winch
- * @since 3.2
- */
-public enum SessionCreationPolicy {
-    /** Always create an {@link HttpSession} */
-    always,
-    /** Spring Security will never create an {@link HttpSession}, but will use the {@link HttpSession} if it already exists */
-    never,
-    /** Spring Security will only create an {@link HttpSession} if required */
-    ifRequired,
-    /** Spring Security will never create an {@link HttpSession} and it will never use it to obtain the {@link SecurityContext} */
-    stateless
-}

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java

@@ -19,6 +19,7 @@ import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.security.config.annotation.web.HttpSecurityBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.session.SessionRegistry;
 import org.springframework.security.core.session.SessionRegistryImpl;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
@@ -74,7 +75,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
     private Integer maximumSessions;
     private String expiredUrl;
     private boolean maxSessionsPreventsLogin;
-    private SessionCreationPolicy sessionPolicy = SessionCreationPolicy.ifRequired;
+    private SessionCreationPolicy sessionPolicy = SessionCreationPolicy.IF_REQUIRED;
     private boolean enableSessionUrlRewriting;
     private String invalidSessionUrl;
     private String sessionAuthenticationErrorUrl;
@@ -289,7 +290,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
      * @return true if the {@link SessionCreationPolicy} allows session creation
      */
     private boolean isAllowSessionCreation() {
-        return SessionCreationPolicy.always == sessionPolicy || SessionCreationPolicy.ifRequired == sessionPolicy;
+        return SessionCreationPolicy.ALWAYS == sessionPolicy || SessionCreationPolicy.IF_REQUIRED == sessionPolicy;
     }
 
     /**
@@ -297,7 +298,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
      * @return
      */
     private boolean isStateless() {
-        return SessionCreationPolicy.stateless == sessionPolicy;
+        return SessionCreationPolicy.STATELESS == sessionPolicy;
     }
 
     /**

config/src/main/java/org/springframework/security/config/http/AuthenticationConfigBuilder.java

@@ -132,8 +132,8 @@ final class AuthenticationConfigBuilder {
         this.pc = pc;
         this.requestCache = requestCache;
         autoConfig = "true".equals(element.getAttribute(ATT_AUTO_CONFIG));
-        this.allowSessionCreation = sessionPolicy != SessionCreationPolicy.never
-                && sessionPolicy != SessionCreationPolicy.stateless;
+        this.allowSessionCreation = sessionPolicy != SessionCreationPolicy.NEVER
+                && sessionPolicy != SessionCreationPolicy.STATELESS;
         this.portMapper = portMapper;
         this.portResolver = portResolver;
 

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -139,9 +139,9 @@ class HttpConfigurationBuilder {
         String createSession = element.getAttribute(ATT_CREATE_SESSION);
 
         if (StringUtils.hasText(createSession)) {
-            sessionPolicy = SessionCreationPolicy.valueOf(createSession);
+            sessionPolicy = createPolicy(createSession);
         } else {
-            sessionPolicy = SessionCreationPolicy.ifRequired;
+            sessionPolicy = SessionCreationPolicy.IF_REQUIRED;
         }
 
         createSecurityContextPersistenceFilter();
@@ -155,6 +155,20 @@ class HttpConfigurationBuilder {
         createAddHeadersFilter();
     }
 
+    private SessionCreationPolicy createPolicy(String createSession) {
+        if("ifRequired".equals(createSession)) {
+            return SessionCreationPolicy.IF_REQUIRED;
+        } else if("always".equals(createSession)) {
+            return SessionCreationPolicy.ALWAYS;
+        } else if("never".equals(createSession)) {
+            return SessionCreationPolicy.NEVER;
+        } else if("stateless".equals(createSession)) {
+            return SessionCreationPolicy.STATELESS;
+        }
+
+        throw new IllegalStateException("Cannot convert " + createSession + " to " + SessionCreationPolicy.class.getName());
+    }
+
     @SuppressWarnings("rawtypes")
     void setLogoutHandlers(ManagedList logoutHandlers) {
         if(logoutHandlers != null) {
@@ -185,21 +199,21 @@ class HttpConfigurationBuilder {
         String disableUrlRewriting = httpElt.getAttribute(ATT_DISABLE_URL_REWRITING);
 
         if (StringUtils.hasText(repoRef)) {
-            if (sessionPolicy == SessionCreationPolicy.always) {
+            if (sessionPolicy == SessionCreationPolicy.ALWAYS) {
                 scpf.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
             }
         } else {
             BeanDefinitionBuilder contextRepo;
-            if (sessionPolicy == SessionCreationPolicy.stateless) {
+            if (sessionPolicy == SessionCreationPolicy.STATELESS) {
                 contextRepo = BeanDefinitionBuilder.rootBeanDefinition(NullSecurityContextRepository.class);
             } else {
                 contextRepo = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class);
                 switch (sessionPolicy) {
-                    case always:
+                    case ALWAYS:
                         contextRepo.addPropertyValue("allowSessionCreation", Boolean.TRUE);
                         scpf.addPropertyValue("forceEagerSessionCreation", Boolean.TRUE);
                         break;
-                    case never:
+                    case NEVER:
                         contextRepo.addPropertyValue("allowSessionCreation", Boolean.FALSE);
                         scpf.addPropertyValue("forceEagerSessionCreation", Boolean.FALSE);
                         break;
@@ -234,9 +248,9 @@ class HttpConfigurationBuilder {
         String errorUrl = null;
 
         if (sessionMgmtElt != null) {
-            if (sessionPolicy == SessionCreationPolicy.stateless) {
+            if (sessionPolicy == SessionCreationPolicy.STATELESS) {
                 pc.getReaderContext().error(Elements.SESSION_MANAGEMENT + "  cannot be used" +
-                        " in combination with " + ATT_CREATE_SESSION + "='"+ SessionCreationPolicy.stateless +"'",
+                        " in combination with " + ATT_CREATE_SESSION + "='"+ SessionCreationPolicy.STATELESS +"'",
                         pc.extractSource(sessionMgmtElt));
             }
             sessionFixationAttribute = sessionMgmtElt.getAttribute(ATT_SESSION_FIXATION_PROTECTION);
@@ -261,7 +275,7 @@ class HttpConfigurationBuilder {
                     " in combination with " + ATT_SESSION_AUTH_STRATEGY_REF, pc.extractSource(sessionMgmtElt));
         }
 
-        if (sessionPolicy == SessionCreationPolicy.stateless) {
+        if (sessionPolicy == SessionCreationPolicy.STATELESS) {
             // SEC-1424: do nothing
             return;
         }
@@ -482,11 +496,11 @@ class HttpConfigurationBuilder {
         } else {
             BeanDefinitionBuilder requestCacheBldr;
 
-            if (sessionPolicy == SessionCreationPolicy.stateless) {
+            if (sessionPolicy == SessionCreationPolicy.STATELESS) {
                 requestCacheBldr = BeanDefinitionBuilder.rootBeanDefinition(NullRequestCache.class);
             } else {
                 requestCacheBldr = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionRequestCache.class);
-                requestCacheBldr.addPropertyValue("createSessionAllowed", sessionPolicy == SessionCreationPolicy.ifRequired);
+                requestCacheBldr.addPropertyValue("createSessionAllowed", sessionPolicy == SessionCreationPolicy.IF_REQUIRED);
                 requestCacheBldr.addPropertyValue("portResolver", portResolver);
             }
 
@@ -607,7 +621,7 @@ class HttpConfigurationBuilder {
 
         filters.add(new OrderDecorator(fsi, FILTER_SECURITY_INTERCEPTOR));
 
-        if (sessionPolicy != SessionCreationPolicy.stateless) {
+        if (sessionPolicy != SessionCreationPolicy.STATELESS) {
             filters.add(new OrderDecorator(requestCacheAwareFilter, REQUEST_CACHE_FILTER));
         }
 

config/src/main/java/org/springframework/security/config/http/SessionCreationPolicy.java

@@ -1,13 +1,22 @@
 package org.springframework.security.config.http;
 
+import javax.servlet.http.HttpSession;
+
+import org.springframework.security.core.context.SecurityContext;
+
 /**
+ * Specifies the various session creation policies for Spring Security.
  *
  * @author Luke Taylor
  * @since 3.1
  */
-enum SessionCreationPolicy {
-    always,
-    never,
-    ifRequired,
-    stateless
+public enum SessionCreationPolicy {
+    /** Always create an {@link HttpSession} */
+    ALWAYS,
+    /** Spring Security will never create an {@link HttpSession}, but will use the {@link HttpSession} if it already exists */
+    NEVER,
+    /** Spring Security will only create an {@link HttpSession} if required */
+    IF_REQUIRED,
+    /** Spring Security will never create an {@link HttpSession} and it will never use it to obtain the {@link SecurityContext} */
+    STATELESS
 }

config/src/test/groovy/org/springframework/security/config/annotation/web/builders/NamespaceHttpTests.groovy

@@ -29,8 +29,8 @@ import org.springframework.security.config.annotation.web.builders.NamespaceHttp
 import org.springframework.security.config.annotation.web.builders.NamespaceHttpTests.RequestMatcherRefConfig.MyRequestMatcher
 import org.springframework.security.config.annotation.web.configuration.BaseWebConfig
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity
-import org.springframework.security.config.annotation.web.configurers.SessionCreationPolicy
 import org.springframework.security.config.annotation.web.configurers.UrlAuthorizationConfigurer
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.Authentication
 import org.springframework.security.core.AuthenticationException
 import org.springframework.security.web.FilterInvocation
@@ -147,7 +147,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
         protected void configure(HttpSecurity http) throws Exception {
             http
                 .sessionManagement()
-                    .sessionCreationPolicy(SessionCreationPolicy.always);
+                    .sessionCreationPolicy(SessionCreationPolicy.ALWAYS);
         }
     }
 
@@ -167,7 +167,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
         protected void configure(HttpSecurity http) throws Exception {
             http
                 .sessionManagement()
-                    .sessionCreationPolicy(SessionCreationPolicy.stateless);
+                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS);
         }
     }
 
@@ -185,7 +185,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
         protected void configure(HttpSecurity http) throws Exception {
             http
                 .sessionManagement()
-                    .sessionCreationPolicy(SessionCreationPolicy.ifRequired);
+                    .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED);
         }
     }
 
@@ -212,7 +212,7 @@ public class NamespaceHttpTests extends BaseSpringSpec {
         protected void configure(HttpSecurity http) throws Exception {
             http
                 .sessionManagement()
-                    .sessionCreationPolicy(SessionCreationPolicy.never);
+                    .sessionCreationPolicy(SessionCreationPolicy.NEVER);
         }
     }
 

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/PortMapperConfigurerTests.groovy

@@ -22,7 +22,6 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.annotation.web.configurers.SessionCreationPolicy;
 import org.springframework.security.web.access.ExceptionTranslationFilter
 import org.springframework.security.web.context.NullSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.groovy

@@ -22,7 +22,7 @@ import org.springframework.security.config.annotation.authentication.builders.Au
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
-import org.springframework.security.config.annotation.web.configurers.SessionCreationPolicy;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.access.ExceptionTranslationFilter
 import org.springframework.security.web.context.NullSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
@@ -58,7 +58,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
                     .requestCache(REQUEST_CACHE)
                     .and()
                 .sessionManagement()
-                    .sessionCreationPolicy(SessionCreationPolicy.stateless)
+                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
         }
 
     }
@@ -84,7 +84,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
                     .securityContextRepository(SECURITY_CONTEXT_REPO)
                     .and()
                 .sessionManagement()
-                    .sessionCreationPolicy(SessionCreationPolicy.stateless)
+                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
         }
 
     }
@@ -103,7 +103,7 @@ class SessionManagementConfigurerTests extends BaseSpringSpec {
         protected void configure(HttpSecurity http) throws Exception {
             http
                 .sessionManagement()
-                    .sessionCreationPolicy(SessionCreationPolicy.stateless)
+                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                     .and()
                 .sessionManagement()
         }