|
@@ -16,6 +16,8 @@ import static org.junit.Assert.*;
|
|
|
import static org.mockito.Mockito.*;
|
|
import static org.mockito.Mockito.*;
|
|
|
import static org.springframework.security.web.context.HttpSessionSecurityContextRepository.*;
|
|
import static org.springframework.security.web.context.HttpSessionSecurityContextRepository.*;
|
|
|
|
|
|
|
|
|
|
+import javax.servlet.ServletOutputStream;
|
|
|
|
|
+import javax.servlet.http.HttpServletResponse;
|
|
|
import javax.servlet.http.HttpSession;
|
|
import javax.servlet.http.HttpSession;
|
|
|
|
|
|
|
|
import org.junit.After;
|
|
import org.junit.After;
|
|
@@ -257,6 +259,38 @@ public class HttpSessionSecurityContextRepositoryTests {
|
|
|
assertEquals(SecurityContextHolder.getContext(), request.getSession().getAttribute("imTheContext"));
|
|
assertEquals(SecurityContextHolder.getContext(), request.getSession().getAttribute("imTheContext"));
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
+ // SEC-SEC-2055
|
|
|
|
|
+ @Test
|
|
|
|
|
+ public void outputStreamCloseDelegate() throws Exception {
|
|
|
|
|
+ HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
|
|
|
|
|
+ repo.setSpringSecurityContextKey("imTheContext");
|
|
|
|
|
+ MockHttpServletRequest request = new MockHttpServletRequest();
|
|
|
|
|
+ HttpServletResponse response = mock(HttpServletResponse.class);
|
|
|
|
|
+ ServletOutputStream outputstream = mock(ServletOutputStream.class);
|
|
|
|
|
+ when(response.getOutputStream()).thenReturn(outputstream);
|
|
|
|
|
+ HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
|
|
|
|
|
+ SecurityContextHolder.setContext(repo.loadContext(holder));
|
|
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(testToken);
|
|
|
|
|
+ holder.getResponse().getOutputStream().close();
|
|
|
|
|
+ verify(outputstream).close();
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ // SEC-SEC-2055
|
|
|
|
|
+ @Test
|
|
|
|
|
+ public void outputStreamFlushesDelegate() throws Exception {
|
|
|
|
|
+ HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
|
|
|
|
|
+ repo.setSpringSecurityContextKey("imTheContext");
|
|
|
|
|
+ MockHttpServletRequest request = new MockHttpServletRequest();
|
|
|
|
|
+ HttpServletResponse response = mock(HttpServletResponse.class);
|
|
|
|
|
+ ServletOutputStream outputstream = mock(ServletOutputStream.class);
|
|
|
|
|
+ when(response.getOutputStream()).thenReturn(outputstream);
|
|
|
|
|
+ HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
|
|
|
|
|
+ SecurityContextHolder.setContext(repo.loadContext(holder));
|
|
|
|
|
+ SecurityContextHolder.getContext().setAuthentication(testToken);
|
|
|
|
|
+ holder.getResponse().getOutputStream().flush();
|
|
|
|
|
+ verify(outputstream).flush();
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
@Test
|
|
@Test
|
|
|
public void noSessionIsCreatedIfSessionWasInvalidatedDuringTheRequest() throws Exception {
|
|
public void noSessionIsCreatedIfSessionWasInvalidatedDuringTheRequest() throws Exception {
|
|
|
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
|
|
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
|
Rob Winch