fix: getSession(false) returns null after session invalidation (#115)#116
Open
Artur- wants to merge 2 commits into
Open
fix: getSession(false) returns null after session invalidation (#115)#116Artur- wants to merge 2 commits into
Artur- wants to merge 2 commits into
Conversation
MockRequest.getSession(false) returned the stale, invalidated session
instead of null once the session had been invalidated, violating the
servlet container contract. This broke logout: Spring Security's
SecurityContextLogoutHandler invalidates the HttpSession and then calls
HttpSessionSecurityContextRepository.saveContext, which looks up
request.getSession(false). In a real container that returns null and the
empty-context save is a no-op, but the mock handed back the invalidated
MockHttpSession, so removing the security-context attribute threw
IllegalStateException("invalidated").
Honour the servlet contract: once invalidated, getSession(false) returns
null and getSession(true) creates a fresh session. Add LogoutTest
covering the issue #115 sequence plus the logout->redirect-to-login and
logout->new-login flows, and update MockRequestTest to assert the
corrected behaviour.
Member
Author
|
/format |
This comment has been minimized.
This comment has been minimized.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
MockRequest.getSession(false) returned the stale, invalidated session instead of null once the session had been invalidated, violating the servlet container contract. This broke logout: Spring Security's SecurityContextLogoutHandler invalidates the HttpSession and then calls HttpSessionSecurityContextRepository.saveContext, which looks up request.getSession(false). In a real container that returns null and the empty-context save is a no-op, but the mock handed back the invalidated MockHttpSession, so removing the security-context attribute threw IllegalStateException("invalidated").
Honour the servlet contract: once invalidated, getSession(false) returns null and getSession(true) creates a fresh session. Add LogoutTest covering the issue #115 sequence plus the logout->redirect-to-login and logout->new-login flows, and update MockRequestTest to assert the corrected behaviour.
Fixes #115