@BeforeMethod public void setUpBeforeMethod() { securityContextRegistry = new SecurityContextRegistryImpl(); httpSessionWithSecurityContextId = "sessionWithSecurityContext"; httpSessionWithSecurityContext = when(mock(HttpSession.class).getId()).thenReturn( httpSessionWithSecurityContextId).getMock(); securityContext = mock(SecurityContext.class); when(httpSessionWithSecurityContext.getAttribute("SPRING_SECURITY_CONTEXT")).thenReturn(securityContext); securityContextRegistry.handleHttpSessionCreatedEvent( new HttpSessionCreatedEvent(httpSessionWithSecurityContext)); httpSessionWithoutSecurityContextId = "sessionWithoutSecurityContext"; HttpSession httpSessionWithoutSecurityContext = when(mock(HttpSession.class).getId()).thenReturn( httpSessionWithoutSecurityContextId).getMock(); securityContextRegistry.handleHttpSessionCreatedEvent( new HttpSessionCreatedEvent(httpSessionWithoutSecurityContext)); }
@Override public void onApplicationEvent(HttpSessionCreatedEvent event) { int sessionTimeoutInSecs = sessionTimeoutInMins * 60; event.getSession().setMaxInactiveInterval(sessionTimeoutInSecs); logger.debug("Session Timeout is set as " + sessionTimeoutInSecs + " Seconds"); }
@Override protected HazelcastHttpSession createNewSession(HazelcastRequestWrapper requestWrapper, boolean create, String existingSessionId) { HazelcastHttpSession session = super.createNewSession(requestWrapper, create, existingSessionId); ApplicationContext appContext = WebApplicationContextUtils.getWebApplicationContext(servletContext); if (appContext != null) { ensureSessionRegistryInitialized(appContext); if (sessionRegistry != null && session != null) { String originalSessionId = session.getOriginalSessionId(); // If original session id is registered already, we don't need it. // So, we should remove it. sessionRegistry.removeSessionInformation(originalSessionId); // Publish event if this session is not registered if (!isSessionRegistered(session.getId())) { /** * Publish an event to notify * {@link org.springframework.security.core.session.SessionRegistry} instance. * So Spring knows our Hazelcast session. * * If session is already exist * ( * possibly added by * {@link org.springframework.security.web.session.HttpSessionEventPublisher} instance * which is defined in {@code web.xml} before * {@link com.hazelcast.web.SessionListener} to * {@link org.springframework.security.core.session.SessionRegistry} * ), * it will be just updated. */ appContext.publishEvent(new HttpSessionCreatedEvent(session)); LOGGER.finest("Published create session event for Spring for session with id " + session.getId()); } } } return session; }
@Override public void onApplicationEvent( HttpSessionCreatedEvent httpSessionCreatedEvent) { counter++; System.out.println("Total sessions created " + counter); Date timestamp = new Date(httpSessionCreatedEvent.getTimestamp()); System.out.println("Session created at " + new SimpleDateFormat("yyyy-MM-dd").format(timestamp) + " and session is " + httpSessionCreatedEvent.getSession()); }
@Test(expectedExceptions = RuntimeException.class, expectedExceptionsMessageRegExp = "Session attribute 'SPRING_SECURITY_CONTEXT' is of type 'String' instead of 'SecurityContext'") public void testGetSecurityContextFromSessionUnexpectedValue() { String corruptHttpSessionId = "corruptSessionId"; HttpSession corruptHttpSession = when(mock(HttpSession.class).getId()).thenReturn(corruptHttpSessionId) .getMock(); when(corruptHttpSession.getAttribute("SPRING_SECURITY_CONTEXT")).thenReturn("corruptSecurityContext"); securityContextRegistry.handleHttpSessionCreatedEvent(new HttpSessionCreatedEvent(corruptHttpSession)); assertNull(securityContextRegistry.getSecurityContext(corruptHttpSessionId)); }
@Test public void testGetSecurityContextInvalidatedSession() { String corruptHttpSessionId = "invalidSessionId"; HttpSession corruptHttpSession = when(mock(HttpSession.class).getId()).thenReturn(corruptHttpSessionId) .getMock(); doThrow(IllegalStateException.class).when(corruptHttpSession).getAttribute("SPRING_SECURITY_CONTEXT"); securityContextRegistry.handleHttpSessionCreatedEvent(new HttpSessionCreatedEvent(corruptHttpSession)); assertNull(securityContextRegistry.getSecurityContext(corruptHttpSessionId)); }
@Override public void onApplicationEvent(HttpSessionCreatedEvent httpSessionCreatedEvent) { }
@Override public void onApplicationEvent(final HttpSessionCreatedEvent event) { LOGGER.info(LOG_MSG_SESSION_CREATED_SESSION_ID, event.getSession().getId()); }
@EventListener public void handleHttpSessionCreatedEvent(HttpSessionCreatedEvent httpSessionCreatedEvent) { HttpSession session = httpSessionCreatedEvent.getSession(); httpSessionMap.put(session.getId(), session); }