Remove Resource Server's Session Policy Config

Resource Server doesn't need to set the session policy for the application to STATELESS since it can rely on the SessionManagementFilter ignoring token's annotated with @Transient, which a JwtAuthenticationToken is. Fixes: gh-5759
8 years ago · 25d1f49d84
2 changed files with 50 additions and 14 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurer.java
@ -158,12 +158,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
				@@ -158,12 +158,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		return this.jwtConfigurer;
 	}

-	@Override
-	public void setBuilder(H http) {
-		super.setBuilder(http);
-		initSessionCreationPolicy(http);
-	}
-
 	@Override
 	public void init(H http) throws Exception {
 		registerDefaultAccessDeniedHandler(http);
@ -252,12 +246,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
				@@ -252,12 +246,6 @@ public final class OAuth2ResourceServerConfigurer<H extends HttpSecurityBuilder<
 		}
 	}

-	private void initSessionCreationPolicy(H http) {
-		if (http.getSharedObject(SessionCreationPolicy.class) == null) {
-			http.setSharedObject(SessionCreationPolicy.class, SessionCreationPolicy.STATELESS);
-		}
-	}
-
 	private void registerDefaultAccessDeniedHandler(H http) {
 		ExceptionHandlingConfigurer<H> exceptionHandling = http
 				.getConfigurer(ExceptionHandlingConfigurer.class);
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/server/resource/OAuth2ResourceServerConfigurerTests.java
@ -115,6 +115,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
				@@ -115,6 +115,7 @@ import static org.springframework.test.web.servlet.request.MockMvcRequestBuilder
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.content;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 import static org.springframework.web.bind.annotation.RequestMethod.GET;
 import static org.springframework.web.bind.annotation.RequestMethod.POST;
@ -525,7 +526,7 @@ public class OAuth2ResourceServerConfigurerTests {
				@@ -525,7 +526,7 @@ public class OAuth2ResourceServerConfigurerTests {
 	}

 	@Test
-	public void requestWhenUsingDefaultsAndNoBearerTokenThenSessionIsNotCreated()
+	public void requestWhenUsingDefaultsAndNoBearerTokenThenSessionIsCreated()
 			throws Exception {

 		this.spring.register(DefaultConfig.class, BasicController.class).autowire();
@ -534,7 +535,7 @@ public class OAuth2ResourceServerConfigurerTests {
				@@ -534,7 +535,7 @@ public class OAuth2ResourceServerConfigurerTests {
 				.andExpect(status().isUnauthorized())
 				.andReturn();

-		assertThat(result.getRequest().getSession(false)).isNull();
+		assertThat(result.getRequest().getSession(false)).isNotNull();
 	}

 	@Test
@ -971,6 +972,32 @@ public class OAuth2ResourceServerConfigurerTests {
				@@ -971,6 +972,32 @@ public class OAuth2ResourceServerConfigurerTests {
 				.andExpect(header().string(HttpHeaders.WWW_AUTHENTICATE, startsWith("Bearer")));
 	}

+	@Test
+	public void requestWhenFormLoginAndResourceServerEntryPointsThenSessionCreatedByRequest()
+			throws Exception {
+
+		this.spring.register(FormAndResourceServerConfig.class, JwtDecoderConfig.class).autowire();
+
+		JwtDecoder decoder = this.spring.getContext().getBean(JwtDecoder.class);
+		when(decoder.decode(anyString())).thenThrow(JwtException.class);
+
+		MvcResult result =
+				this.mvc.perform(get("/authenticated"))
+						.andExpect(status().isFound())
+						.andExpect(redirectedUrl("http://localhost/login"))
+						.andReturn();
+
+		assertThat(result.getRequest().getSession(false)).isNotNull();
+
+		result =
+				this.mvc.perform(get("/authenticated")
+						.with(bearerToken("token")))
+						.andExpect(status().isUnauthorized())
+						.andReturn();
+
+		assertThat(result.getRequest().getSession(false)).isNull();
+	}
+
 	@Test
 	public void requestWhenDefaultAndResourceServerAccessDeniedHandlersThenMatchedByRequest()
 			throws Exception {
@ -1260,6 +1287,27 @@ public class OAuth2ResourceServerConfigurerTests {
				@@ -1260,6 +1287,27 @@ public class OAuth2ResourceServerConfigurerTests {
 		}
 	}

+	@EnableWebSecurity
+	static class FormAndResourceServerConfig extends WebSecurityConfigurerAdapter {
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.authorizeRequests()
+					.anyRequest().authenticated()
+					.and()
+				.formLogin()
+					.and()
+				.oauth2ResourceServer()
+					.jwt();
+		}
+
+		@Bean
+		JwtDecoder jwtDecoder() {
+			return mock(JwtDecoder.class);
+		}
+	}
+
 	@EnableWebSecurity
 	static class JwtHalfConfiguredConfig extends WebSecurityConfigurerAdapter {
 		@Override