From 6e2d4a5ef4870ada0ef3d4b7beedb17a08ec79bc Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Wed, 26 Apr 2017 08:12:26 -0500 Subject: [PATCH] SpringSessionRememberMeServices rm SecurityContext attribute SpringSessionRememberMeServices use to invalidate the session which would cause Spring Security's saved request to be lost. Now SpringSessionRememberMeServices deletes the SecurityContext from the HttpSession instead. Fixes gh-752 --- .../web/authentication/SpringSessionRememberMeServices.java | 5 ++++- .../SpringSessionRememberMeServicesTests.java | 6 ++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/spring-session/src/main/java/org/springframework/session/security/web/authentication/SpringSessionRememberMeServices.java b/spring-session/src/main/java/org/springframework/session/security/web/authentication/SpringSessionRememberMeServices.java index 9132e886..abda5ac9 100644 --- a/spring-session/src/main/java/org/springframework/session/security/web/authentication/SpringSessionRememberMeServices.java +++ b/spring-session/src/main/java/org/springframework/session/security/web/authentication/SpringSessionRememberMeServices.java @@ -26,6 +26,7 @@ import org.apache.commons.logging.LogFactory; import org.springframework.security.core.Authentication; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.logout.LogoutHandler; +import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.util.Assert; /** @@ -57,6 +58,8 @@ public class SpringSessionRememberMeServices private int validitySeconds = THIRTY_DAYS_SECONDS; + private String sessionAttrToDeleteOnLoginFail = HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY; + public final Authentication autoLogin(HttpServletRequest request, HttpServletResponse response) { return null; @@ -132,7 +135,7 @@ public class SpringSessionRememberMeServices logger.debug("Interactive login attempt was unsuccessful."); HttpSession session = request.getSession(false); if (session != null) { - session.invalidate(); + session.removeAttribute(this.sessionAttrToDeleteOnLoginFail); } } } diff --git a/spring-session/src/test/java/org/springframework/session/security/web/authentication/SpringSessionRememberMeServicesTests.java b/spring-session/src/test/java/org/springframework/session/security/web/authentication/SpringSessionRememberMeServicesTests.java index 567c8098..b8155ef9 100644 --- a/spring-session/src/test/java/org/springframework/session/security/web/authentication/SpringSessionRememberMeServicesTests.java +++ b/spring-session/src/test/java/org/springframework/session/security/web/authentication/SpringSessionRememberMeServicesTests.java @@ -25,6 +25,7 @@ import org.junit.Test; import org.junit.rules.ExpectedException; import org.springframework.security.core.Authentication; +import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.test.util.ReflectionTestUtils; import static org.assertj.core.api.Assertions.assertThat; @@ -103,8 +104,9 @@ public class SpringSessionRememberMeServicesTests { verifyZeroInteractions(request, response); } + // gh-752 @Test - public void loginFailInvalidatesSession() { + public void loginFailRemoveSecurityContext() { HttpServletRequest request = mock(HttpServletRequest.class); HttpServletResponse response = mock(HttpServletResponse.class); HttpSession session = mock(HttpSession.class); @@ -112,7 +114,7 @@ public class SpringSessionRememberMeServicesTests { this.rememberMeServices = new SpringSessionRememberMeServices(); this.rememberMeServices.loginFail(request, response); verify(request, times(1)).getSession(eq(false)); - verify(session, times(1)).invalidate(); + verify(session, times(1)).removeAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY); verifyZeroInteractions(request, response, session); }