|
1 | 1 | /*
|
2 |
| - * Copyright 2002-2016 the original author or authors. |
| 2 | + * Copyright 2002-2023 the original author or authors. |
3 | 3 | *
|
4 | 4 | * Licensed under the Apache License, Version 2.0 (the "License");
|
5 | 5 | * you may not use this file except in compliance with the License.
|
|
20 | 20 | import jakarta.servlet.http.HttpServletRequest;
|
21 | 21 | import jakarta.servlet.http.HttpServletResponse;
|
22 | 22 | import org.junit.jupiter.api.AfterEach;
|
| 23 | +import org.junit.jupiter.api.BeforeEach; |
23 | 24 | import org.junit.jupiter.api.Test;
|
24 | 25 |
|
25 | 26 | import org.springframework.mock.web.MockFilterChain;
|
|
29 | 30 | import org.springframework.security.authentication.TestingAuthenticationToken;
|
30 | 31 | import org.springframework.security.core.Authentication;
|
31 | 32 | import org.springframework.security.core.context.SecurityContextHolder;
|
| 33 | +import org.springframework.security.web.DefaultRedirectStrategy; |
32 | 34 | import org.springframework.security.web.authentication.AuthenticationFailureHandler;
|
33 | 35 | import org.springframework.security.web.authentication.session.SessionAuthenticationException;
|
34 | 36 | import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
|
|
46 | 48 | /**
|
47 | 49 | * @author Luke Taylor
|
48 | 50 | * @author Rob Winch
|
| 51 | + * @author Mark Chesney |
49 | 52 | */
|
50 | 53 | public class SessionManagementFilterTests {
|
51 | 54 |
|
| 55 | + @BeforeEach |
52 | 56 | @AfterEach
|
53 | 57 | public void clearContext() {
|
54 | 58 | SecurityContextHolder.clearContext();
|
@@ -174,6 +178,38 @@ public void responseIsRedirectedToRequestedUrlIfSetAndSessionIsInvalid() throws
|
174 | 178 | assertThat(response.getRedirectedUrl()).isEqualTo("/requested");
|
175 | 179 | }
|
176 | 180 |
|
| 181 | + @Test |
| 182 | + public void responseIsRedirectedToRequestedUrlIfContextPathIsSetAndSessionIsInvalid() throws Exception { |
| 183 | + // given |
| 184 | + DefaultRedirectStrategy redirectStrategy = new DefaultRedirectStrategy(); |
| 185 | + redirectStrategy.setContextRelative(true); |
| 186 | + RequestedUrlRedirectInvalidSessionStrategy invalidSessionStrategy = new RequestedUrlRedirectInvalidSessionStrategy(); |
| 187 | + invalidSessionStrategy.setCreateNewSession(true); |
| 188 | + invalidSessionStrategy.setRedirectStrategy(redirectStrategy); |
| 189 | + SecurityContextRepository securityContextRepository = mock(SecurityContextRepository.class); |
| 190 | + SessionAuthenticationStrategy sessionAuthenticationStrategy = mock(SessionAuthenticationStrategy.class); |
| 191 | + SessionManagementFilter filter = new SessionManagementFilter(securityContextRepository, |
| 192 | + sessionAuthenticationStrategy); |
| 193 | + filter.setInvalidSessionStrategy(invalidSessionStrategy); |
| 194 | + MockHttpServletRequest request = new MockHttpServletRequest(); |
| 195 | + request.setContextPath("/context"); |
| 196 | + request.setRequestedSessionId("xxx"); |
| 197 | + request.setRequestedSessionIdValid(false); |
| 198 | + request.setRequestURI("/context/requested"); |
| 199 | + MockHttpServletResponse response = new MockHttpServletResponse(); |
| 200 | + FilterChain chain = mock(FilterChain.class); |
| 201 | + |
| 202 | + // when |
| 203 | + filter.doFilter(request, response, chain); |
| 204 | + |
| 205 | + // then |
| 206 | + verify(securityContextRepository).containsContext(request); |
| 207 | + verifyNoMoreInteractions(securityContextRepository, sessionAuthenticationStrategy, chain); |
| 208 | + assertThat(response.isCommitted()).isTrue(); |
| 209 | + assertThat(response.getRedirectedUrl()).isEqualTo("/context/requested"); |
| 210 | + assertThat(response.getStatus()).isEqualTo(302); |
| 211 | + } |
| 212 | + |
177 | 213 | @Test
|
178 | 214 | public void customAuthenticationTrustResolver() throws Exception {
|
179 | 215 | AuthenticationTrustResolver trustResolver = mock(AuthenticationTrustResolver.class);
|
|
0 commit comments