diff --git a/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java index 3fcbb0b4e2..68629a5700 100644 --- a/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java @@ -763,8 +763,29 @@ public class HttpSecurityBeanDefinitionParserTests { Object filter = appContext.getBean(BeanIds.SECURITY_CONTEXT_PERSISTENCE_FILTER); assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(filter, "forceEagerSessionCreation")); assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(filter, "repo.allowSessionCreation")); + // Check that an invocation doesn't create a session + FilterChainProxy fcp = (FilterChainProxy) appContext.getBean(BeanIds.FILTER_CHAIN_PROXY); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setServletPath("/anything"); + fcp.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()); + assertNull(request.getSession(false)); } + @Test + public void settingCreateSessionToIfRequiredDoesntCreateASessionForPublicInvocation() throws Exception { + setContext("" + AUTH_PROVIDER_XML); + Object filter = appContext.getBean(BeanIds.SECURITY_CONTEXT_PERSISTENCE_FILTER); + assertEquals(Boolean.FALSE, FieldUtils.getFieldValue(filter, "forceEagerSessionCreation")); + assertEquals(Boolean.TRUE, FieldUtils.getFieldValue(filter, "repo.allowSessionCreation")); + // Check that an invocation doesn't create a session + FilterChainProxy fcp = (FilterChainProxy) appContext.getBean(BeanIds.FILTER_CHAIN_PROXY); + MockHttpServletRequest request = new MockHttpServletRequest(); + request.setServletPath("/anything"); + fcp.doFilter(request, new MockHttpServletResponse(), new MockFilterChain()); + assertNull(request.getSession(false)); + } + + /* SEC-934 */ @Test public void supportsTwoIdenticalInterceptUrls() {