@Override @Nullable public HttpSession getSession(boolean create) { checkActive(); // Reset session if invalidated. if (this.session instanceof MockHttpSession && ((MockHttpSession) this.session).isInvalid()) { this.session = null; } // Create new session if necessary. if (this.session == null && create) { this.session = new MockHttpSession(this.servletContext); } return this.session; }
@Before public void setup() throws Exception { this.mvc = webAppContextSetup(this.wac).build(); this.session = new MockHttpSession(); }
private MockHttpSession getAuthenticatedSession(ScimUser user) { MockHttpSession session = new MockHttpSession(); setAuthentication(session, user); return session; }
@Before public void setUp() { MockHttpServletRequest oldRequestWithSession = new MockHttpServletRequest(); oldRequestWithSession.setSession(new MockHttpSession()); this.oldRequestAttributesWithSession = new ServletRequestAttributes(oldRequestWithSession); MockHttpServletRequest newRequestWithSession = new MockHttpServletRequest(); newRequestWithSession.setSession(new MockHttpSession()); this.newRequestAttributesWithSession = new ServletRequestAttributes(newRequestWithSession); }
private MockHttpServletRequest getMockHttpServletRequest() { MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpSession session = new MockHttpSession(); SavedRequest savedRequest = mock(SavedRequest.class); when(savedRequest.getParameterValues("client_id")).thenReturn(new String[]{"client-id"}); when(savedRequest.getRedirectUrl()) .thenReturn("http://localhost:8080/uaa/oauth/authorize?client_id=identity&redirect_uri=http%3A%2F%2Flocalhost%3A8888%2Flogin&response_type=code&state=8tp0tR"); session.setAttribute(SAVED_REQUEST_SESSION_ATTRIBUTE, savedRequest); request.setSession(session); return request; }
@Test public void xoauthCallback_redirectsToSavedRequestIfPresent() throws Exception { HttpSession session = new MockHttpSession(); DefaultSavedRequest savedRequest = Mockito.mock(DefaultSavedRequest.class); when(savedRequest.getRedirectUrl()).thenReturn("/some.redirect.url"); session.setAttribute(SAVED_REQUEST_SESSION_ATTRIBUTE, savedRequest); LoginInfoEndpoint endpoint = getEndpoint(); String redirectUrl = endpoint.handleXOAuthCallback(session); assertEquals("redirect:/some.redirect.url", redirectUrl); }
@Test public void session() { MockHttpSession session = new MockHttpSession(this.servletContext); session.setAttribute("foo", "bar"); this.builder.session(session); this.builder.sessionAttr("baz", "qux"); MockHttpServletRequest request = this.builder.buildRequest(this.servletContext); assertEquals(session, request.getSession()); assertEquals("bar", request.getSession().getAttribute("foo")); assertEquals("qux", request.getSession().getAttribute("baz")); }
@Test public void testPerformAutologinFailsWhenMfaRequired() throws Exception { doReturn(true).when(mfaChecker).isMfaEnabled(any(IdentityZone.class), anyString()); LoginInfoEndpoint endpoint = getEndpoint(); try { endpoint.performAutologin(new MockHttpSession()); fail("MFA was not required"); } catch (BadCredentialsException e) { assertEquals("MFA is required", e.getMessage()); } }
@Before public void setUp() { this.oldRequestAttributes = new ServletRequestAttributes(new MockHttpServletRequest()); this.newRequestAttributes = new ServletRequestAttributes(new MockHttpServletRequest()); MockHttpServletRequest oldRequestWithSession = new MockHttpServletRequest(); oldRequestWithSession.setSession(new MockHttpSession()); this.oldRequestAttributesWithSession = new ServletRequestAttributes(oldRequestWithSession); MockHttpServletRequest newRequestWithSession = new MockHttpServletRequest(); newRequestWithSession.setSession(new MockHttpSession()); this.newRequestAttributesWithSession = new ServletRequestAttributes(newRequestWithSession); }
private MockHttpSession expiredSession() { MockHttpSession session = new MockHttpSession(); SessionRegistry sessionRegistry = this.spring.getContext().getBean(SessionRegistry.class); sessionRegistry.registerNewSession(session.getId(), "user"); sessionRegistry.getSessionInformation(session.getId()).expireNow(); return session; }
@Test void nonSilentAuthentication_doesNotComputeSessionState() throws Exception { MockHttpSession session = new MockHttpSession(); login(session); MvcResult result = mockMvc.perform( get("/oauth/authorize?response_type=token&scope=openid&client_id=ant&redirect_uri=http://example.com/with/path.html") .session(session) ) .andReturn(); assertThat(result.getResponse().getRedirectedUrl(), not(containsString("session_state"))); }
@Test public void requestWhenCreateSessionIsSetToNeverThenUsesExistingSession() throws Exception { this.spring.configLocations(this.xml("CreateSessionNever")).autowire(); MockHttpServletRequest request = post("/login") .param("username", "user") .param("password", "password") .buildRequest(this.servletContext()); request = csrf().postProcessRequest(request); MockHttpSession session = new MockHttpSession(); request.setSession(session); MockHttpServletResponse response = request(request, this.spring.getContext()); assertThat(response.getStatus()).isEqualTo(HttpStatus.SC_MOVED_TEMPORARILY); assertThat(request.getSession(false)).isNotNull(); assertThat(request.getSession(false).getAttribute(SPRING_SECURITY_CONTEXT_KEY)) .isNotNull(); }
@Test public void testSessionScoping() throws Exception { MockHttpSession oldSession = new MockHttpSession(); MockHttpSession newSession = new MockHttpSession(); MockHttpServletRequest request = new MockHttpServletRequest(); request.setSession(oldSession); RequestContextHolder.setRequestAttributes(new ServletRequestAttributes(request)); ITestBean scoped = (ITestBean) this.context.getBean("sessionScoped"); assertTrue("Should be AOP proxy", AopUtils.isAopProxy(scoped)); assertFalse("Should not be target class proxy", scoped instanceof TestBean); ITestBean scopedAlias = (ITestBean) this.context.getBean("sessionScopedAlias"); assertSame(scoped, scopedAlias); ITestBean testBean = (ITestBean) this.context.getBean("testBean"); assertTrue("Should be AOP proxy", AopUtils.isAopProxy(testBean)); assertFalse("Regular bean should be JDK proxy", testBean instanceof TestBean); String rob = "Rob Harrop"; String bram = "Bram Smeets"; assertEquals(rob, scoped.getName()); scoped.setName(bram); request.setSession(newSession); assertEquals(rob, scoped.getName()); request.setSession(oldSession); assertEquals(bram, scoped.getName()); assertTrue("Should have advisors", ((Advised) scoped).getAdvisors().length > 0); }
@Test public void discoverIdentityProviderCarriesLoginHintIfProvided() throws Exception { LoginInfoEndpoint endpoint = getEndpoint(); MockHttpServletRequest request = new MockHttpServletRequest(); MockHttpSession session = new MockHttpSession(); String loginHint = "{\"origin\":\"my-OIDC-idp1\"}"; endpoint.discoverIdentityProvider("testuser@fake.com", "true", loginHint, model, session, request); assertEquals(loginHint, model.get("login_hint")); }
@Test public void requestWhenSessionFixationProtectionIsMigrateSessionThenSessionIsReplaced() throws Exception { this.spring.configLocations(this.xml("SessionFixationProtectionMigrateSession")).autowire(); MockHttpSession session = new MockHttpSession(); String sessionId = session.getId(); MvcResult result = this.mvc.perform(get("/auth") .session(session) .with(httpBasic("user", "password"))) .andExpect(session()) .andReturn(); assertThat(result.getRequest().getSession(false).getId()).isNotEqualTo(sessionId); }
@Test void testSilentAuthHonorsAntRedirect_whenSessionHasBeenInvalidated() throws Exception { MockHttpSession session = new MockHttpSession(); login(session); session.invalidate(); mockMvc.perform( get("/oauth/authorize?response_type=token&scope=openid&client_id=ant&prompt=none&redirect_uri=http://example.com/with/path.html") .session(session) ).andExpect(redirectedUrlPattern("http://example.com/**/*")); }
@Test void testSilentAuthentication_Returns400_whenInvalidRedirectUrlIsProvided() throws Exception { MockHttpSession session = new MockHttpSession(); login(session); mockMvc.perform( get("/oauth/authorize?response_type=token&scope=openid&client_id=ant&prompt=none&redirect_uri=no good uri") .session(session) ) .andExpect(status().is4xxClientError()); }
@Test public void requestWhenCreateSessionIsSetToStatelessThenIgnoresExistingSession() throws Exception { this.spring.configLocations(this.xml("CreateSessionStateless")).autowire(); MvcResult result = this.mvc.perform(post("/login") .param("username", "user") .param("password", "password") .session(new MockHttpSession()) .with(csrf())) .andExpect(status().isFound()) .andExpect(session()) .andReturn(); assertThat(result.getRequest().getSession(false).getAttribute(SPRING_SECURITY_CONTEXT_KEY)) .isNull(); }
@Test public void requestWhenSessionFixationProtectionIsNoneThenSessionNotInvalidated() throws Exception { this.spring.configLocations(this.xml("SessionFixationProtectionNone")).autowire(); MockHttpSession session = new MockHttpSession(); String sessionId = session.getId(); this.mvc.perform(get("/auth") .session(session) .with(httpBasic("user", "password"))) .andExpect(session().id(sessionId)); }
/** * SEC-2137 */ @Test public void requestWhenSessionFixationProtectionDisabledAndConcurrencyControlEnabledThenSessionNotInvalidated() throws Exception { this.spring.configLocations(this.xml("Sec2137")).autowire(); MockHttpSession session = new MockHttpSession(); this.mvc.perform(get("/auth") .session(session) .with(httpBasic("user", "password"))) .andExpect(status().isOk()) .andExpect(session().id(session.getId())); }