Release 2.2.3.RELEASE

Upgrade Spring Security to 5.2.4.RELEASE
Resolves gh-1634
2020-05-12 16:56:14 -04:00 · 2020-05-12 16:30:27 -04:00 · 2020-05-12 16:29:48 -04:00 · 2020-05-12 16:29:24 -04:00 · 2020-05-12 16:28:45 -04:00 · 2020-05-12 16:28:08 -04:00
7 changed files with 50 additions and 15 deletions
--- a/build.gradle
+++ b/build.gradle
@@ -4,7 +4,7 @@ buildscript {
 		snapshotBuild = version.endsWith('SNAPSHOT')
 		milestoneBuild = !(releaseBuild || snapshotBuild)

-		springBootVersion = '2.2.4.RELEASE'
+		springBootVersion = '2.2.7.RELEASE'
 	}

 	repositories {
--- a/gradle.properties
+++ b/gradle.properties
@@ -1,3 +1,3 @@
 org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8
 org.gradle.parallel=true
-version=2.2.2.BUILD-SNAPSHOT
+version=2.2.3.RELEASE
--- a/gradle/dependency-management.gradle
+++ b/gradle/dependency-management.gradle
@@ -1,11 +1,11 @@
 dependencyManagement {
 	imports {
-		mavenBom 'io.projectreactor:reactor-bom:Dysprosium-SR4'
+		mavenBom 'io.projectreactor:reactor-bom:Dysprosium-SR7'
 		mavenBom 'org.junit:junit-bom:5.5.2'
-		mavenBom 'org.springframework:spring-framework-bom:5.2.2.RELEASE'
-		mavenBom 'org.springframework.data:spring-data-releasetrain:Moore-SR4'
-		mavenBom 'org.springframework.security:spring-security-bom:5.2.1.RELEASE'
-		mavenBom 'org.testcontainers:testcontainers-bom:1.12.2'
+		mavenBom 'org.springframework:spring-framework-bom:5.2.6.RELEASE'
+		mavenBom 'org.springframework.data:spring-data-releasetrain:Moore-SR7'
+		mavenBom 'org.springframework.security:spring-security-bom:5.2.4.RELEASE'
+		mavenBom 'org.testcontainers:testcontainers-bom:1.12.5'
 	}

 	dependencies {
@@ -20,16 +20,16 @@ dependencyManagement {
 		dependency 'com.oracle.ojdbc:ojdbc8:19.3.0.0'
 		dependency 'com.zaxxer:HikariCP:3.4.1'
 		dependency 'edu.umd.cs.mtc:multithreadedtc:1.01'
-		dependency 'io.lettuce:lettuce-core:5.2.0.RELEASE'
+		dependency 'io.lettuce:lettuce-core:5.2.2.RELEASE'
 		dependency 'javax.annotation:javax.annotation-api:1.3.2'
 		dependency 'javax.servlet:javax.servlet-api:4.0.1'
 		dependency 'junit:junit:4.12'
-		dependency 'mysql:mysql-connector-java:8.0.17'
+		dependency 'mysql:mysql-connector-java:8.0.19'
 		dependency 'org.apache.derby:derby:10.14.2.0'
 		dependency 'org.assertj:assertj-core:3.13.2'
 		dependency 'org.hsqldb:hsqldb:2.5.0'
 		dependency 'org.mariadb.jdbc:mariadb-java-client:2.4.4'
 		dependency 'org.mockito:mockito-core:3.0.0'
-		dependency 'org.postgresql:postgresql:42.2.8'
+		dependency 'org.postgresql:postgresql:42.2.12'
 	}
 }
--- a/spring-session-samples/spring-session-sample-boot-findbyusername/src/integration-test/java/sample/FindByUsernameTests.java
+++ b/spring-session-samples/spring-session-sample-boot-findbyusername/src/integration-test/java/sample/FindByUsernameTests.java
@@ -53,6 +53,8 @@ class FindByUsernameTests {

 	private WebDriver driver;

+	private WebDriver driver2;
+
 	@BeforeEach
 	void setup() {
 		this.driver = MockMvcHtmlUnitDriverBuilder.mockMvcSetup(this.mockMvc).build();
@@ -61,6 +63,9 @@ class FindByUsernameTests {
 	@AfterEach
 	void tearDown() {
 		this.driver.quit();
+		if (this.driver2 != null) {
+			this.driver2.quit();
+		}
 	}

 	@Test
@@ -79,6 +84,25 @@ class FindByUsernameTests {
 		home.terminateButtonDisabled();
 	}

+	@Test
+	void terminateOtherSession() throws Exception {
+		HomePage forgotToLogout = home(this.driver);
+
+		this.driver2 = MockMvcHtmlUnitDriverBuilder.mockMvcSetup(this.mockMvc).build();
+		HomePage terminateFogotSession = home(this.driver2);
+		terminateFogotSession.terminateSession(forgotToLogout.getSessionId()).assertAt();
+
+		LoginPage login = HomePage.go(this.driver);
+		login.assertAt();
+	}
+
+	private static HomePage home(WebDriver driver) {
+		LoginPage login = HomePage.go(driver);
+		HomePage home = login.form().login(HomePage.class);
+		home.assertAt();
+		return home;
+	}
+
 	@TestConfiguration
 	static class Config {

--- a/spring-session-samples/spring-session-sample-boot-findbyusername/src/integration-test/java/sample/pages/HomePage.java
+++ b/spring-session-samples/spring-session-sample-boot-findbyusername/src/integration-test/java/sample/pages/HomePage.java
@@ -56,6 +56,18 @@ public class HomePage extends BasePage {
 	}

 	public void terminateButtonDisabled() {
+		String sessionId = getSessionId();
+		WebElement element = getDriver().findElement(By.id("terminate-" + sessionId));
+		assertThat(element.isEnabled()).isFalse();
+	}
+
+	public HomePage terminateSession(String sessionId) {
+		WebElement terminate = getDriver().findElement(By.id("terminate-" + sessionId));
+		terminate.click();
+		return new HomePage(getDriver());
+	}
+
+	public String getSessionId() {
 		Set<Cookie> cookies = getDriver().manage().getCookies();
 		String cookieValue = null;
 		for (Cookie cookie : cookies) {
@@ -63,8 +75,7 @@ public class HomePage extends BasePage {
 				cookieValue = new String(Base64.getDecoder().decode(cookie.getValue()));
 			}
 		}
-		WebElement element = getDriver().findElement(By.id("terminate-" + cookieValue));
-		assertThat(element.isEnabled()).isFalse();
+		return cookieValue;
 	}

 	public HomePage logout() {
--- a/spring-session-samples/spring-session-sample-boot-findbyusername/src/main/java/sample/mvc/IndexController.java
+++ b/spring-session-samples/spring-session-sample-boot-findbyusername/src/main/java/sample/mvc/IndexController.java
@@ -26,8 +26,8 @@ import org.springframework.session.Session;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RequestMethod;

 /**
 * Controller for sending the user to the login view.
@@ -50,7 +50,7 @@ public class IndexController {
 	}
 	// end::findbyusername[]

-	@RequestMapping(value = "/sessions/{sessionIdToDelete}", method = RequestMethod.DELETE)
+	@PostMapping("/sessions/{sessionIdToDelete}")
 	public String removeSession(Principal principal, @PathVariable String sessionIdToDelete) {
 		Set<String> usersSessionIds = this.sessions.findByPrincipalName(principal.getName()).keySet();
 		if (usersSessionIds.contains(sessionIdToDelete)) {
--- a/spring-session-samples/spring-session-sample-boot-findbyusername/src/main/resources/templates/index.html
+++ b/spring-session-samples/spring-session-sample-boot-findbyusername/src/main/resources/templates/index.html
@@ -25,7 +25,7 @@
 				<td th:text="${#temporals.format(sessionElement.lastAccessedTime.atZone(T(java.time.ZoneId).systemDefault()),'dd/MMM/yyyy HH:mm:ss')}"></td>
 				<td th:text="${details?.accessType}"></td>
 				<td>
-					<form th:action="@{'/sessions/' + ${sessionElement.id}}" th:method="delete">
+					<form th:action="@{'/sessions/' + ${sessionElement.id}}" th:method="post">
 						<input th:id="'terminate-' + ${sessionElement.id}" type="submit" value="Terminate" th:disabled="${sessionElement.id == #httpSession.id}"/>
 					</form>
 				</td>
Author	SHA1	Message	Date
Eleftheria Stein	1afb5d5a17	Release 2.2.3.RELEASE	2020-05-12 16:56:14 -04:00
Eleftheria Stein	365a244a9b	Upgrade Spring Security to 5.2.4.RELEASE Resolves gh-1634	2020-05-12 16:30:27 -04:00
Eleftheria Stein	0b4140d892	Upgrade Spring Data to Moore-SR7 Resolves gh-1633	2020-05-12 16:29:48 -04:00
Eleftheria Stein	78a85789c9	Upgrade Spring Framework to 5.2.6.RELEASE Resolves gh-1632	2020-05-12 16:29:24 -04:00
Eleftheria Stein	59350ed559	Upgrade Reactor to Dysprosium-SR7 Resolves: gh-1631	2020-05-12 16:28:45 -04:00
Eleftheria Stein	811e156a9c	Upgrade samples to Spring Boot 2.2.7 Resolves gh-1630	2020-05-12 16:28:08 -04:00
Eleftheria Stein	05a9903348	Upgrade test dependencies	2020-05-12 16:17:13 -04:00
Rob Winch	d8ae336b24	Find by Username Sample switch from DELETE to POST Spring Boot 2.2 no longer adds HiddenHttpMethodFilter by default See https://github.com/spring-projects/spring-boot/wiki/Spring-Boot-2.2-Release-Notes#httphiddenmethodfilter-disabled-by-default This means that trying to map DELETE requests using _method variable does not work. This changes the mapping to use a POST which doesn't require the HiddenHttpMethodFilter which might expose the application to unnecessary security risk by allowing the HTTP method to be overridden. Closes gh-1613	2020-04-13 09:44:15 -05:00
Eleftheria Stein	315112f2a2	Next Development Build	2020-03-04 16:43:52 -05:00
Eleftheria Stein	e859da6d27	Release 2.2.2.RELEASE	2020-03-04 16:03:14 -05:00
Eleftheria Stein	028bae1f11	Upgrade samples to Spring Boot 2.2.5 Resolves #1596	2020-03-04 10:50:54 -05:00
Eleftheria Stein	234cb6dd88	Upgrade Spring Security to 5.2.2.RELEASE Resolves #1595	2020-03-04 10:50:05 -05:00
Eleftheria Stein	43101308ec	Upgrade Spring Data to Moore-SR5 Resolves #1594	2020-03-04 10:49:17 -05:00
Eleftheria Stein	089f6b92de	Upgrade Spring Framework to 5.2.4.RELEASE Resolves #1593	2020-03-04 10:48:41 -05:00
Eleftheria Stein	c6d129a5a5	Upgrade Reactor to Dysprosium-SR5 Resolves #1592	2020-03-04 10:42:02 -05:00