Ensure Session#getAttributeNames implementations return a copy

Currently, Session#getAttributeNames implementations, by delegating to MapSession, all return a session attribute map's key set. This causes ConcurrentModificationException when an attempt to modify session attributes is made while iterating over the returned attribute names.

Closes gh-1120

spring-session-core/src/main/java/org/springframework/session/MapSession.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2017 the original author or authors.
+ * Copyright 2014-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -20,6 +20,7 @@ import java.io.Serializable;
 import java.time.Duration;
 import java.time.Instant;
 import java.util.HashMap;
+import java.util.HashSet;
 import java.util.Map;
 import java.util.Set;
 import java.util.UUID;
@@ -177,7 +178,7 @@ public final class MapSession implements Session, Serializable {
 
 	@Override
 	public Set<String> getAttributeNames() {
-		return this.sessionAttrs.keySet();
+		return new HashSet<>(this.sessionAttrs.keySet());
 	}
 
 	@Override

spring-session-core/src/test/java/org/springframework/session/MapSessionRepositoryTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2014-2017 the original author or authors.
+ * Copyright 2014-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -100,4 +100,17 @@ public class MapSessionRepositoryTests {
 		assertThat(this.repository.findById(createSession.getId())).isNotNull();
 	}
 
+	@Test // gh-1120
+	public void getAttributeNamesAndRemove() {
+		MapSession session = this.repository.createSession();
+		session.setAttribute("attribute1", "value1");
+		session.setAttribute("attribute2", "value2");
+
+		for (String attributeName : session.getAttributeNames()) {
+			session.removeAttribute(attributeName);
+		}
+
+		assertThat(session.getAttributeNames()).isEmpty();
+	}
+
 }

spring-session-core/src/test/java/org/springframework/session/MapSessionTests.java

@@ -133,6 +133,18 @@ public class MapSessionTests {
 		assertThat(this.session.isExpired(now)).isTrue();
 	}
 
+	@Test // gh-1120
+	public void getAttributeNamesAndRemove() {
+		this.session.setAttribute("attribute1", "value1");
+		this.session.setAttribute("attribute2", "value2");
+
+		for (String attributeName : this.session.getAttributeNames()) {
+			this.session.removeAttribute(attributeName);
+		}
+
+		assertThat(this.session.getAttributeNames()).isEmpty();
+	}
+
 	static class CustomSession implements Session {
 
 		@Override

spring-session-core/src/test/java/org/springframework/session/ReactiveMapSessionRepositoryTests.java

@@ -144,4 +144,17 @@ public class ReactiveMapSessionRepositoryTests {
 		assertThat(this.repository.findById(createSession.getId()).block()).isNotNull();
 	}
 
+	@Test // gh-1120
+	public void getAttributeNamesAndRemove() {
+		MapSession session = this.repository.createSession().block();
+		session.setAttribute("attribute1", "value1");
+		session.setAttribute("attribute2", "value2");
+
+		for (String attributeName : session.getAttributeNames()) {
+			session.removeAttribute(attributeName);
+		}
+
+		assertThat(session.getAttributeNames()).isEmpty();
+	}
+
 }