Skip to content

Commit 2638555

Browse files
mchesjzheaux
authored andcommitted
Allow redirect strategy to be customized
Closes gh-12795
1 parent df5b729 commit 2638555

File tree

2 files changed

+51
-3
lines changed

2 files changed

+51
-3
lines changed

web/src/main/java/org/springframework/security/web/session/RequestedUrlRedirectInvalidSessionStrategy.java

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2016 the original author or authors.
2+
* Copyright 2002-2023 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -25,19 +25,21 @@
2525

2626
import org.springframework.security.web.DefaultRedirectStrategy;
2727
import org.springframework.security.web.RedirectStrategy;
28+
import org.springframework.util.Assert;
2829
import org.springframework.web.servlet.support.ServletUriComponentsBuilder;
2930

3031
/**
3132
* Performs a redirect to the original request URL when an invalid requested session is
3233
* detected by the {@code SessionManagementFilter}.
3334
*
3435
* @author Craig Andrews
36+
* @author Mark Chesney
3537
*/
3638
public final class RequestedUrlRedirectInvalidSessionStrategy implements InvalidSessionStrategy {
3739

3840
private final Log logger = LogFactory.getLog(getClass());
3941

40-
private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
42+
private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
4143

4244
private boolean createNewSession = true;
4345

@@ -68,4 +70,14 @@ public void setCreateNewSession(boolean createNewSession) {
6870
this.createNewSession = createNewSession;
6971
}
7072

73+
/**
74+
* Sets the redirect strategy to use. The default is {@link DefaultRedirectStrategy}.
75+
* @param redirectStrategy the redirect strategy to use.
76+
* @since 6.2
77+
*/
78+
public void setRedirectStrategy(RedirectStrategy redirectStrategy) {
79+
Assert.notNull(redirectStrategy, "redirectStrategy cannot be null");
80+
this.redirectStrategy = redirectStrategy;
81+
}
82+
7183
}

web/src/test/java/org/springframework/security/web/session/SessionManagementFilterTests.java

Lines changed: 37 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
/*
2-
* Copyright 2002-2016 the original author or authors.
2+
* Copyright 2002-2023 the original author or authors.
33
*
44
* Licensed under the Apache License, Version 2.0 (the "License");
55
* you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@
2020
import jakarta.servlet.http.HttpServletRequest;
2121
import jakarta.servlet.http.HttpServletResponse;
2222
import org.junit.jupiter.api.AfterEach;
23+
import org.junit.jupiter.api.BeforeEach;
2324
import org.junit.jupiter.api.Test;
2425

2526
import org.springframework.mock.web.MockFilterChain;
@@ -29,6 +30,7 @@
2930
import org.springframework.security.authentication.TestingAuthenticationToken;
3031
import org.springframework.security.core.Authentication;
3132
import org.springframework.security.core.context.SecurityContextHolder;
33+
import org.springframework.security.web.DefaultRedirectStrategy;
3234
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
3335
import org.springframework.security.web.authentication.session.SessionAuthenticationException;
3436
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
@@ -46,9 +48,11 @@
4648
/**
4749
* @author Luke Taylor
4850
* @author Rob Winch
51+
* @author Mark Chesney
4952
*/
5053
public class SessionManagementFilterTests {
5154

55+
@BeforeEach
5256
@AfterEach
5357
public void clearContext() {
5458
SecurityContextHolder.clearContext();
@@ -174,6 +178,38 @@ public void responseIsRedirectedToRequestedUrlIfSetAndSessionIsInvalid() throws
174178
assertThat(response.getRedirectedUrl()).isEqualTo("/requested");
175179
}
176180

181+
@Test
182+
public void responseIsRedirectedToRequestedUrlIfContextPathIsSetAndSessionIsInvalid() throws Exception {
183+
// given
184+
DefaultRedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
185+
redirectStrategy.setContextRelative(true);
186+
RequestedUrlRedirectInvalidSessionStrategy invalidSessionStrategy = new RequestedUrlRedirectInvalidSessionStrategy();
187+
invalidSessionStrategy.setCreateNewSession(true);
188+
invalidSessionStrategy.setRedirectStrategy(redirectStrategy);
189+
SecurityContextRepository securityContextRepository = mock(SecurityContextRepository.class);
190+
SessionAuthenticationStrategy sessionAuthenticationStrategy = mock(SessionAuthenticationStrategy.class);
191+
SessionManagementFilter filter = new SessionManagementFilter(securityContextRepository,
192+
sessionAuthenticationStrategy);
193+
filter.setInvalidSessionStrategy(invalidSessionStrategy);
194+
MockHttpServletRequest request = new MockHttpServletRequest();
195+
request.setContextPath("/context");
196+
request.setRequestedSessionId("xxx");
197+
request.setRequestedSessionIdValid(false);
198+
request.setRequestURI("/context/requested");
199+
MockHttpServletResponse response = new MockHttpServletResponse();
200+
FilterChain chain = mock(FilterChain.class);
201+
202+
// when
203+
filter.doFilter(request, response, chain);
204+
205+
// then
206+
verify(securityContextRepository).containsContext(request);
207+
verifyNoMoreInteractions(securityContextRepository, sessionAuthenticationStrategy, chain);
208+
assertThat(response.isCommitted()).isTrue();
209+
assertThat(response.getRedirectedUrl()).isEqualTo("/context/requested");
210+
assertThat(response.getStatus()).isEqualTo(302);
211+
}
212+
177213
@Test
178214
public void customAuthenticationTrustResolver() throws Exception {
179215
AuthenticationTrustResolver trustResolver = mock(AuthenticationTrustResolver.class);

0 commit comments

Comments
 (0)