-
Notifications
You must be signed in to change notification settings - Fork 6.1k
Make Redirect Status Code Configurable #12817
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,5 +1,5 @@ | ||
/* | ||
* Copyright 2002-2016 the original author or authors. | ||
* Copyright 2002-2023 the original author or authors. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
|
@@ -20,15 +20,18 @@ | |
import jakarta.servlet.http.HttpServletRequest; | ||
import jakarta.servlet.http.HttpServletResponse; | ||
import org.junit.jupiter.api.AfterEach; | ||
import org.junit.jupiter.api.BeforeEach; | ||
import org.junit.jupiter.api.Test; | ||
|
||
import org.springframework.http.HttpStatus; | ||
import org.springframework.mock.web.MockFilterChain; | ||
import org.springframework.mock.web.MockHttpServletRequest; | ||
import org.springframework.mock.web.MockHttpServletResponse; | ||
import org.springframework.security.authentication.AuthenticationTrustResolver; | ||
import org.springframework.security.authentication.TestingAuthenticationToken; | ||
import org.springframework.security.core.Authentication; | ||
import org.springframework.security.core.context.SecurityContextHolder; | ||
import org.springframework.security.web.DefaultRedirectStrategy; | ||
import org.springframework.security.web.authentication.AuthenticationFailureHandler; | ||
import org.springframework.security.web.authentication.session.SessionAuthenticationException; | ||
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; | ||
|
@@ -46,9 +49,11 @@ | |
/** | ||
* @author Luke Taylor | ||
* @author Rob Winch | ||
* @author Mark Chesney | ||
*/ | ||
public class SessionManagementFilterTests { | ||
|
||
@BeforeEach | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @jzheaux SecurityContextHolderAwareRequestWrapperTests.java for reference: …
package org.springframework.security.web.servletapi;
…
public class SecurityContextHolderAwareRequestWrapperTests {
@BeforeEach
public void tearDown() {
SecurityContextHolder.clearContext();
}
…
@Test
public void testGetRemoteUserStringWithAuthenticatedPrincipal() {
…
SecurityContextHolder.getContext().setAuthentication(auth);
…
}
} |
||
@AfterEach | ||
public void clearContext() { | ||
SecurityContextHolder.clearContext(); | ||
|
@@ -174,6 +179,69 @@ public void responseIsRedirectedToRequestedUrlIfSetAndSessionIsInvalid() throws | |
assertThat(response.getRedirectedUrl()).isEqualTo("/requested"); | ||
} | ||
|
||
@Test | ||
public void responseIsRedirectedToRequestedUrlIfContextPathIsSetAndSessionIsInvalid() throws Exception { | ||
// given | ||
DefaultRedirectStrategy redirectStrategy = new DefaultRedirectStrategy(); | ||
redirectStrategy.setContextRelative(true); | ||
RequestedUrlRedirectInvalidSessionStrategy invalidSessionStrategy = new RequestedUrlRedirectInvalidSessionStrategy(); | ||
invalidSessionStrategy.setCreateNewSession(true); | ||
invalidSessionStrategy.setRedirectStrategy(redirectStrategy); | ||
SecurityContextRepository securityContextRepository = mock(SecurityContextRepository.class); | ||
SessionAuthenticationStrategy sessionAuthenticationStrategy = mock(SessionAuthenticationStrategy.class); | ||
SessionManagementFilter filter = new SessionManagementFilter(securityContextRepository, | ||
sessionAuthenticationStrategy); | ||
filter.setInvalidSessionStrategy(invalidSessionStrategy); | ||
MockHttpServletRequest request = new MockHttpServletRequest(); | ||
request.setContextPath("/context"); | ||
request.setRequestedSessionId("xxx"); | ||
request.setRequestedSessionIdValid(false); | ||
request.setRequestURI("/context/requested"); | ||
MockHttpServletResponse response = new MockHttpServletResponse(); | ||
FilterChain chain = mock(FilterChain.class); | ||
|
||
// when | ||
filter.doFilter(request, response, chain); | ||
|
||
// then | ||
verify(securityContextRepository).containsContext(request); | ||
verifyNoMoreInteractions(securityContextRepository, sessionAuthenticationStrategy, chain); | ||
assertThat(response.isCommitted()).isTrue(); | ||
assertThat(response.getRedirectedUrl()).isEqualTo("/context/requested"); | ||
assertThat(response.getStatus()).isEqualTo(302); | ||
} | ||
|
||
@Test | ||
public void responseIsRedirectedToRequestedUrlIfStatusCodeIsSetAndSessionIsInvalid() throws Exception { | ||
// given | ||
DefaultRedirectStrategy redirectStrategy = new DefaultRedirectStrategy(); | ||
redirectStrategy.setStatusCode(HttpStatus.TEMPORARY_REDIRECT); | ||
RequestedUrlRedirectInvalidSessionStrategy invalidSessionStrategy = new RequestedUrlRedirectInvalidSessionStrategy(); | ||
invalidSessionStrategy.setCreateNewSession(true); | ||
invalidSessionStrategy.setRedirectStrategy(redirectStrategy); | ||
SecurityContextRepository securityContextRepository = mock(SecurityContextRepository.class); | ||
SessionAuthenticationStrategy sessionAuthenticationStrategy = mock(SessionAuthenticationStrategy.class); | ||
SessionManagementFilter filter = new SessionManagementFilter(securityContextRepository, | ||
sessionAuthenticationStrategy); | ||
filter.setInvalidSessionStrategy(invalidSessionStrategy); | ||
MockHttpServletRequest request = new MockHttpServletRequest(); | ||
request.setRequestedSessionId("xxx"); | ||
request.setRequestedSessionIdValid(false); | ||
request.setRequestURI("/requested"); | ||
MockHttpServletResponse response = new MockHttpServletResponse(); | ||
FilterChain chain = mock(FilterChain.class); | ||
|
||
// when | ||
filter.doFilter(request, response, chain); | ||
|
||
// then | ||
verify(securityContextRepository).containsContext(request); | ||
verifyNoMoreInteractions(securityContextRepository, sessionAuthenticationStrategy, chain); | ||
assertThat(response.isCommitted()).isTrue(); | ||
assertThat(response.getRedirectedUrl()).isEqualTo("/requested"); | ||
assertThat(response.getStatus()).isEqualTo(307); | ||
} | ||
|
||
@Test | ||
public void customAuthenticationTrustResolver() throws Exception { | ||
AuthenticationTrustResolver trustResolver = mock(AuthenticationTrustResolver.class); | ||
|
Uh oh!
There was an error while loading. Please reload this page.