From 6d1e68a069c7c56ce36017dd906dfd923da8fbb6 Mon Sep 17 00:00:00 2001 From: Onur Kagan Ozcan Date: Fri, 23 Aug 2019 19:01:24 +0300 Subject: [PATCH] Introduce LogoutSuccessEvent LogoutSuccessEvent is a simple AbstractAuthenticationEvent implementation which indicates successful logout. By default, LogoutConfigurer will add a new LogoutHandler called LogoutSuccessEventPublishingLogoutHandler to publish this event. This PR will also fix ConcurrentSessionFilter's composite logoutHandler, now will get LogoutHandler instances from LogoutConfigurer for consistency. Fixes gh-2900 --- .../web/configurers/LogoutConfigurer.java | 10 ++- .../SessionManagementConfigurer.java | 24 +++++-- .../http/LogoutBeanDefinitionParser.java | 6 +- .../ServletApiConfigurerTests.java | 62 +++++++++++++++++ .../http/SessionManagementConfigTests.java | 30 +++++++++ .../event/LogoutSuccessEvent.java | 33 +++++++++ ...utSuccessEventPublishingLogoutHandler.java | 52 ++++++++++++++ .../web/session/ConcurrentSessionFilter.java | 14 +++- ...cessEventPublishingLogoutHandlerTests.java | 67 +++++++++++++++++++ .../ConcurrentSessionFilterTests.java | 6 +- 10 files changed, 291 insertions(+), 13 deletions(-) create mode 100644 core/src/main/java/org/springframework/security/authentication/event/LogoutSuccessEvent.java create mode 100644 web/src/main/java/org/springframework/security/web/authentication/logout/LogoutSuccessEventPublishingLogoutHandler.java create mode 100644 web/src/test/java/org/springframework/security/web/authentication/logout/LogoutSuccessEventPublishingLogoutHandlerTests.java diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java index d919bfd71d7..74550c4df91 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,6 +29,7 @@ import org.springframework.security.web.authentication.logout.DelegatingLogoutSuccessHandler; import org.springframework.security.web.authentication.logout.LogoutFilter; import org.springframework.security.web.authentication.logout.LogoutHandler; +import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler; import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; import org.springframework.security.web.authentication.logout.SimpleUrlLogoutSuccessHandler; @@ -60,6 +61,7 @@ * No shared objects are used. * * @author Rob Winch + * @author Onur Kagan Ozcan * @since 3.2 * @see RememberMeConfigurer */ @@ -85,8 +87,9 @@ public LogoutConfigurer() { } /** - * Adds a {@link LogoutHandler}. The {@link SecurityContextLogoutHandler} is added as - * the last {@link LogoutHandler} by default. + * Adds a {@link LogoutHandler}. + * {@link SecurityContextLogoutHandler} and {@link LogoutSuccessEventPublishingLogoutHandler} are added as + * last {@link LogoutHandler} instances by default. * * @param logoutHandler the {@link LogoutHandler} to add * @return the {@link LogoutConfigurer} for further customization @@ -329,6 +332,7 @@ List getLogoutHandlers() { */ private LogoutFilter createLogoutFilter(H http) throws Exception { logoutHandlers.add(contextLogoutHandler); + logoutHandlers.add(postProcess(new LogoutSuccessEventPublishingLogoutHandler())); LogoutHandler[] handlers = logoutHandlers .toArray(new LogoutHandler[0]); LogoutFilter result = new LogoutFilter(getLogoutSuccessHandler(), handlers); diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java index fd4cf8db406..0daa0cae3d0 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,6 +35,7 @@ import org.springframework.security.core.session.SessionRegistryImpl; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler; +import org.springframework.security.web.authentication.logout.LogoutHandler; import org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy; import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy; @@ -54,6 +55,7 @@ import org.springframework.security.web.session.SimpleRedirectInvalidSessionStrategy; import org.springframework.security.web.session.SimpleRedirectSessionInformationExpiredStrategy; import org.springframework.util.Assert; +import org.springframework.util.CollectionUtils; /** * Allows configuring session management. @@ -88,6 +90,7 @@ * * * @author Rob Winch + * @author Onur Kagan Ozcan * @since 3.2 * @see SessionManagementFilter * @see ConcurrentSessionFilter @@ -505,21 +508,30 @@ public void configure(H http) throws Exception { http.addFilter(sessionManagementFilter); if (isConcurrentSessionControlEnabled()) { - ConcurrentSessionFilter concurrentSessionFilter = createConccurencyFilter(http); + ConcurrentSessionFilter concurrentSessionFilter = createConcurrencyFilter(http); concurrentSessionFilter = postProcess(concurrentSessionFilter); http.addFilter(concurrentSessionFilter); } } - private ConcurrentSessionFilter createConccurencyFilter(H http) { + private ConcurrentSessionFilter createConcurrencyFilter(H http) { SessionInformationExpiredStrategy expireStrategy = getExpiredSessionStrategy(); SessionRegistry sessionRegistry = getSessionRegistry(http); + ConcurrentSessionFilter concurrentSessionFilter; if (expireStrategy == null) { - return new ConcurrentSessionFilter(sessionRegistry); + concurrentSessionFilter = new ConcurrentSessionFilter(sessionRegistry); + } else { + concurrentSessionFilter = new ConcurrentSessionFilter(sessionRegistry, expireStrategy); + } + LogoutConfigurer logoutConfigurer = http.getConfigurer(LogoutConfigurer.class); + if (logoutConfigurer != null) { + List logoutHandlers = logoutConfigurer.getLogoutHandlers(); + if (!CollectionUtils.isEmpty(logoutHandlers)) { + concurrentSessionFilter.setLogoutHandlers(logoutHandlers); + } } - - return new ConcurrentSessionFilter(sessionRegistry, expireStrategy); + return concurrentSessionFilter; } /** diff --git a/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java b/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java index f694d6f3614..8b8c4f8b6c6 100644 --- a/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java +++ b/config/src/main/java/org/springframework/security/config/http/LogoutBeanDefinitionParser.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2012 the original author or authors. + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,6 +25,7 @@ import org.springframework.beans.factory.xml.ParserContext; import org.springframework.security.web.authentication.logout.CookieClearingLogoutHandler; import org.springframework.security.web.authentication.logout.LogoutFilter; +import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler; import org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler; import org.springframework.util.StringUtils; import org.w3c.dom.Element; @@ -32,6 +33,7 @@ /** * @author Luke Taylor * @author Ben Alex + * @author Onur Kagan Ozcan */ class LogoutBeanDefinitionParser implements BeanDefinitionParser { static final String ATT_LOGOUT_SUCCESS_URL = "logout-success-url"; @@ -120,6 +122,8 @@ public BeanDefinition parse(Element element, ParserContext pc) { logoutHandlers.add(cookieDeleter); } + logoutHandlers.add(new RootBeanDefinition(LogoutSuccessEventPublishingLogoutHandler.class)); + builder.addConstructorArgValue(logoutHandlers); return builder.getBeanDefinition(); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java index b390d004933..5189670f607 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurerTests.java @@ -16,6 +16,8 @@ package org.springframework.security.config.annotation.web.configurers; +import java.util.List; + import org.junit.Rule; import org.junit.Test; import org.springframework.beans.factory.annotation.Autowired; @@ -33,12 +35,19 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.userdetails.PasswordEncodedUser; +import org.springframework.security.util.FieldUtils; import org.springframework.security.web.AuthenticationEntryPoint; +import org.springframework.security.web.FilterChainProxy; +import org.springframework.security.web.authentication.logout.CompositeLogoutHandler; +import org.springframework.security.web.authentication.logout.LogoutFilter; +import org.springframework.security.web.authentication.logout.LogoutHandler; +import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler; import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter; import org.springframework.test.web.servlet.MockMvc; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.RestController; +import javax.servlet.Filter; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; @@ -59,6 +68,7 @@ * * @author Rob Winch * @author Eleftheria Stein + * @author Onur Kagan Ozcan */ public class ServletApiConfigurerTests { @Rule @@ -287,4 +297,56 @@ public void admin(HttpServletRequest request) { } } } + + @Test + public void checkSecurityContextAwareAndLogoutFilterHasSameSizeAndHasLogoutSuccessEventPublishingLogoutHandler() { + this.spring.register(ServletApiWithLogoutConfig.class); + + SecurityContextHolderAwareRequestFilter scaFilter = getFilter(SecurityContextHolderAwareRequestFilter.class); + LogoutFilter logoutFilter = getFilter(LogoutFilter.class); + + LogoutHandler lfLogoutHandler = getFieldValue(logoutFilter, "handler"); + assertThat(lfLogoutHandler).isInstanceOf(CompositeLogoutHandler.class); + + List scaLogoutHandlers = getFieldValue(scaFilter, "logoutHandlers"); + List lfLogoutHandlers = getFieldValue(lfLogoutHandler, "logoutHandlers"); + + assertThat(scaLogoutHandlers).hasSameSizeAs(lfLogoutHandlers); + + assertThat(scaLogoutHandlers).hasAtLeastOneElementOfType(LogoutSuccessEventPublishingLogoutHandler.class); + assertThat(lfLogoutHandlers).hasAtLeastOneElementOfType(LogoutSuccessEventPublishingLogoutHandler.class); + } + + @EnableWebSecurity + static class ServletApiWithLogoutConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .servletApi().and() + .logout(); + // @formatter:on + } + } + + private T getFilter(Class filterClass) { + return (T) getFilters().stream() + .filter(filterClass::isInstance) + .findFirst() + .orElse(null); + } + + private List getFilters() { + FilterChainProxy proxy = this.spring.getContext().getBean(FilterChainProxy.class); + return proxy.getFilters("/"); + } + + private T getFieldValue(Object target, String fieldName) { + try { + return (T) FieldUtils.getFieldValue(target, fieldName); + } catch (Exception e) { + throw new RuntimeException(e); + } + } + } diff --git a/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigTests.java b/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigTests.java index 0adc2d66d94..141ac51b75e 100644 --- a/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/http/SessionManagementConfigTests.java @@ -41,7 +41,10 @@ import org.springframework.security.web.FilterChainProxy; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; +import org.springframework.security.web.authentication.logout.CompositeLogoutHandler; +import org.springframework.security.web.authentication.logout.LogoutFilter; import org.springframework.security.web.authentication.logout.LogoutHandler; +import org.springframework.security.web.authentication.logout.LogoutSuccessEventPublishingLogoutHandler; import org.springframework.security.web.authentication.session.SessionAuthenticationException; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.session.ConcurrentSessionFilter; @@ -71,6 +74,7 @@ * @author Luke Taylor * @author Rob Winch * @author Josh Cummings + * @author Onur Kagan Ozcan */ public class SessionManagementConfigTests { private static final String CONFIG_LOCATION_PREFIX = @@ -455,6 +459,32 @@ public void requestWhenSessionFixationProtectionIsNoneAndInvalidSessionUrlIsSetT .andExpect(redirectedUrl("/timeoutUrl")); } + /** + * SEC-2680 + */ + @Test + public void checkConcurrencyAndLogoutFilterHasSameSizeAndHasLogoutSuccessEventPublishingLogoutHandler() { + + this.spring.configLocations(this.xml("ConcurrencyControlLogoutAndRememberMeHandlers")).autowire(); + + ConcurrentSessionFilter concurrentSessionFilter = getFilter(ConcurrentSessionFilter.class); + LogoutFilter logoutFilter = getFilter(LogoutFilter.class); + + LogoutHandler csfLogoutHandler = getFieldValue(concurrentSessionFilter, "handlers"); + LogoutHandler lfLogoutHandler = getFieldValue(logoutFilter, "handler"); + + assertThat(csfLogoutHandler).isInstanceOf(CompositeLogoutHandler.class); + assertThat(lfLogoutHandler).isInstanceOf(CompositeLogoutHandler.class); + + List csfLogoutHandlers = getFieldValue(csfLogoutHandler, "logoutHandlers"); + List lfLogoutHandlers = getFieldValue(lfLogoutHandler, "logoutHandlers"); + + assertThat(csfLogoutHandlers).hasSameSizeAs(lfLogoutHandlers); + + assertThat(csfLogoutHandlers).hasAtLeastOneElementOfType(LogoutSuccessEventPublishingLogoutHandler.class); + assertThat(lfLogoutHandlers).hasAtLeastOneElementOfType(LogoutSuccessEventPublishingLogoutHandler.class); + } + static class TeapotSessionAuthenticationStrategy implements SessionAuthenticationStrategy { @Override diff --git a/core/src/main/java/org/springframework/security/authentication/event/LogoutSuccessEvent.java b/core/src/main/java/org/springframework/security/authentication/event/LogoutSuccessEvent.java new file mode 100644 index 00000000000..094d0a332d7 --- /dev/null +++ b/core/src/main/java/org/springframework/security/authentication/event/LogoutSuccessEvent.java @@ -0,0 +1,33 @@ +/* + * Copyright 2002-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.authentication.event; + +import org.springframework.security.core.Authentication; + +/** + * Application event which indicates successful logout + * + * @author Onur Kagan Ozcan + * @since 5.2.0 + */ +public class LogoutSuccessEvent extends AbstractAuthenticationEvent { + + public LogoutSuccessEvent(Authentication authentication) { + super(authentication); + } + +} diff --git a/web/src/main/java/org/springframework/security/web/authentication/logout/LogoutSuccessEventPublishingLogoutHandler.java b/web/src/main/java/org/springframework/security/web/authentication/logout/LogoutSuccessEventPublishingLogoutHandler.java new file mode 100644 index 00000000000..b43e4c4dea9 --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/authentication/logout/LogoutSuccessEventPublishingLogoutHandler.java @@ -0,0 +1,52 @@ +/* + * Copyright 2002-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.authentication.logout; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import org.springframework.context.ApplicationEventPublisher; +import org.springframework.context.ApplicationEventPublisherAware; +import org.springframework.security.authentication.event.LogoutSuccessEvent; +import org.springframework.security.core.Authentication; + +/** + * A logout handler which publishes {@link LogoutSuccessEvent} + * + * @author Onur Kagan Ozcan + * @since 5.2.0 + */ +public final class LogoutSuccessEventPublishingLogoutHandler implements LogoutHandler, ApplicationEventPublisherAware { + + private ApplicationEventPublisher eventPublisher; + + @Override + public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) { + if (eventPublisher == null) { + return; + } + if (authentication == null) { + return; + } + eventPublisher.publishEvent(new LogoutSuccessEvent(authentication)); + } + + @Override + public void setApplicationEventPublisher(ApplicationEventPublisher applicationEventPublisher) { + this.eventPublisher = applicationEventPublisher; + } + +} diff --git a/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java b/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java index 6228203c41b..f8286541e09 100644 --- a/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java +++ b/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -18,6 +18,7 @@ import java.io.IOException; +import java.util.List; import javax.servlet.FilterChain; import javax.servlet.ServletException; import javax.servlet.ServletRequest; @@ -61,6 +62,7 @@ * @author Ben Alex * @author EddĂș MelĂ©ndez * @author Marten Deinum + * @author Onur Kagan Ozcan */ public class ConcurrentSessionFilter extends GenericFilterBean { @@ -173,6 +175,16 @@ public void setLogoutHandlers(LogoutHandler[] handlers) { this.handlers = new CompositeLogoutHandler(handlers); } + /** + * Set list of {@link LogoutHandler} + * + * @param handlers list of {@link LogoutHandler} + * @since 5.2.0 + */ + public void setLogoutHandlers(List handlers) { + this.handlers = new CompositeLogoutHandler(handlers); + } + /** * Sets the {@link RedirectStrategy} used with {@link #ConcurrentSessionFilter(SessionRegistry, String)} * @param redirectStrategy the {@link RedirectStrategy} to use diff --git a/web/src/test/java/org/springframework/security/web/authentication/logout/LogoutSuccessEventPublishingLogoutHandlerTests.java b/web/src/test/java/org/springframework/security/web/authentication/logout/LogoutSuccessEventPublishingLogoutHandlerTests.java new file mode 100644 index 00000000000..c6dcc45f848 --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/authentication/logout/LogoutSuccessEventPublishingLogoutHandlerTests.java @@ -0,0 +1,67 @@ +/* + * Copyright 2002-2019 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.authentication.logout; + +import org.junit.Test; +import org.springframework.context.ApplicationEventPublisher; +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.security.authentication.event.LogoutSuccessEvent; +import org.springframework.security.core.Authentication; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.Mockito.mock; + +/** + * @author Onur Kagan Ozcan + */ +public class LogoutSuccessEventPublishingLogoutHandlerTests { + + @Test + public void shouldPublishEvent() { + LogoutSuccessEventPublishingLogoutHandler handler = new LogoutSuccessEventPublishingLogoutHandler(); + LogoutAwareEventPublisher eventPublisher = new LogoutAwareEventPublisher(); + handler.setApplicationEventPublisher(eventPublisher); + + handler.logout(new MockHttpServletRequest(), new MockHttpServletResponse(), mock(Authentication.class)); + + assertThat(eventPublisher.flag).isTrue(); + } + + @Test + public void shouldNotPublishEventWhenAuthenticationIsNull() { + LogoutSuccessEventPublishingLogoutHandler handler = new LogoutSuccessEventPublishingLogoutHandler(); + LogoutAwareEventPublisher eventPublisher = new LogoutAwareEventPublisher(); + handler.setApplicationEventPublisher(eventPublisher); + + handler.logout(new MockHttpServletRequest(), new MockHttpServletResponse(), null); + + assertThat(eventPublisher.flag).isFalse(); + } + + private static class LogoutAwareEventPublisher implements ApplicationEventPublisher { + + Boolean flag = false; + + @Override + public void publishEvent(Object event) { + if (LogoutSuccessEvent.class.isAssignableFrom(event.getClass())) { + flag = true; + } + } + } +} diff --git a/web/src/test/java/org/springframework/security/web/concurrent/ConcurrentSessionFilterTests.java b/web/src/test/java/org/springframework/security/web/concurrent/ConcurrentSessionFilterTests.java index 229b491ea0d..dd6f7c239aa 100644 --- a/web/src/test/java/org/springframework/security/web/concurrent/ConcurrentSessionFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/concurrent/ConcurrentSessionFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2004, 2005, 2006 Acegi Technology Pty Limited + * Copyright 2002-2019 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -17,6 +17,7 @@ package org.springframework.security.web.concurrent; import java.util.Date; +import java.util.List; import javax.servlet.FilterChain; import javax.servlet.http.HttpServletRequest; @@ -53,6 +54,7 @@ * * @author Ben Alex * @author Luke Taylor + * @author Onur Kagan Ozcan */ public class ConcurrentSessionFilterTests { @@ -315,7 +317,7 @@ public void doFilterWhenCustomLogoutHandlersThenHandlersUsed() throws Exception public void setLogoutHandlersWhenNullThenThrowsException() { ConcurrentSessionFilter filter = new ConcurrentSessionFilter(new SessionRegistryImpl()); - filter.setLogoutHandlers(null); + filter.setLogoutHandlers((List) null); } @Test(expected = IllegalArgumentException.class)