Address SessionLimitStrategy

claudenirmachado · claudenirmachado · commit 010496c5667e · 2024-12-06T14:38:52.000Z
Closes gh-16206
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java
@@ -126,8 +126,6 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
 
 	private SessionRegistry sessionRegistry;
 
-	private Integer maximumSessions;
-
 	private String expiredUrl;
 
 	private boolean maxSessionsPreventsLogin;
@@ -332,7 +330,7 @@ public SessionManagementConfigurer<H> sessionFixation(
 	 * @return the {@link SessionManagementConfigurer} for further customizations
 	 */
 	public ConcurrencyControlConfigurer maximumSessions(int maximumSessions) {
-		this.maximumSessions = maximumSessions;
+		this.sessionLimitStrategy = SessionLimitStrategy.of(maximumSessions);
 		this.propertiesThatRequireImplicitAuthentication.add("maximumSessions = " + maximumSessions);
 		return new ConcurrencyControlConfigurer();
 	}
@@ -573,9 +571,8 @@ private SessionAuthenticationStrategy getSessionAuthenticationStrategy(H http) {
 			SessionRegistry sessionRegistry = getSessionRegistry(http);
 			ConcurrentSessionControlAuthenticationStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlAuthenticationStrategy(
 					sessionRegistry);
-			SessionLimitStrategy sessionLimitStrategyValue = getSessionLimitStrategy();
-			if (sessionLimitStrategyValue != null) {
-				concurrentSessionControlStrategy.setSessionLimitStrategy(sessionLimitStrategyValue);
+			if (this.sessionLimitStrategy != null) {
+				concurrentSessionControlStrategy.setMaximumSessions(this.sessionLimitStrategy);
 			}
 			concurrentSessionControlStrategy.setExceptionIfMaximumExceeded(this.maxSessionsPreventsLogin);
 			concurrentSessionControlStrategy = postProcess(concurrentSessionControlStrategy);
@@ -594,17 +591,6 @@ private SessionAuthenticationStrategy getSessionAuthenticationStrategy(H http) {
 		return this.sessionAuthenticationStrategy;
 	}
 
-	private SessionLimitStrategy getSessionLimitStrategy() {
-		if (this.sessionLimitStrategy != null) {
-			return this.sessionLimitStrategy;
-		}
-		if (this.maximumSessions == null) {
-			return null;
-		}
-		this.sessionLimitStrategy = SessionLimitStrategy.of(this.maximumSessions);
-		return this.sessionLimitStrategy;
-	}
-
 	private SessionRegistry getSessionRegistry(H http) {
 		if (this.sessionRegistry == null) {
 			this.sessionRegistry = getBeanOrNull(SessionRegistry.class);
@@ -631,7 +617,7 @@ private void registerDelegateApplicationListener(H http, ApplicationListener<?>
 	 * @return
 	 */
 	private boolean isConcurrentSessionControlEnabled() {
-		return this.maximumSessions != null || this.sessionLimitStrategy != null;
+		return this.sessionLimitStrategy != null;
 	}
 
 	/**
@@ -723,7 +709,7 @@ private ConcurrencyControlConfigurer() {
 		 * @return the {@link ConcurrencyControlConfigurer} for further customizations
 		 */
 		public ConcurrencyControlConfigurer maximumSessions(int maximumSessions) {
-			SessionManagementConfigurer.this.maximumSessions = maximumSessions;
+			SessionManagementConfigurer.this.sessionLimitStrategy = SessionLimitStrategy.of(maximumSessions);
 			return this;
 		}
 
diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@@ -122,7 +122,7 @@ class HttpConfigurationBuilder {
 
 	private static final String ATT_SESSION_AUTH_STRATEGY_REF = "session-authentication-strategy-ref";
 
-	private static final String ATT_SESSION_LIMIT_STRATEGY_REF = "session-limit-strategy-ref";
+	private static final String ATT_MAX_SESSIONS_REF = "max-sessions-ref";
 
 	private static final String ATT_MAX_SESSIONS = "max-sessions";
 
@@ -495,7 +495,7 @@ else if (StringUtils.hasText(sessionAuthStratRef)) {
 			}
 			String sessionLimitStrategyRef = this.pc.getReaderContext()
 				.getEnvironment()
-				.resolvePlaceholders(sessionCtrlElt.getAttribute(ATT_SESSION_LIMIT_STRATEGY_REF));
+				.resolvePlaceholders(sessionCtrlElt.getAttribute(ATT_MAX_SESSIONS_REF));
 			if (StringUtils.hasText(sessionLimitStrategyRef)) {
 				concurrentSessionStrategy.addPropertyReference("sessionLimitStrategy", sessionLimitStrategyRef);
 			}
@@ -602,11 +602,10 @@ private void createConcurrencyControlFilterAndSessionRegistry(Element element) {
 						source);
 		}
 		String maxSessions = element.getAttribute(ATT_MAX_SESSIONS);
-		String sessionLimitStrategyRef = element.getAttribute(ATT_SESSION_LIMIT_STRATEGY_REF);
-		if (StringUtils.hasText(maxSessions) && StringUtils.hasText(sessionLimitStrategyRef)) {
+		String maxSessionsRef = element.getAttribute(ATT_MAX_SESSIONS_REF);
+		if (StringUtils.hasText(maxSessions) && StringUtils.hasText(maxSessionsRef)) {
 			this.pc.getReaderContext()
-				.error("Cannot use 'max-sessions' attribute and 'session-limit-strategy-ref' attribute together.",
-						source);
+				.error("Cannot use 'max-sessions' attribute and 'max-sessions-ref' attribute together.", source);
 		}
 		if (StringUtils.hasText(expiryUrl)) {
 			BeanDefinitionBuilder expiredSessionBldr = BeanDefinitionBuilder
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.5.rnc b/config/src/main/resources/org/springframework/security/config/spring-security-6.5.rnc
@@ -936,7 +936,7 @@ concurrency-control.attlist &=
 	attribute max-sessions {xsd:token}?
 concurrency-control.attlist &=
 	## Allows injection of the SessionLimitStrategy instance used by the ConcurrentSessionControlAuthenticationStrategy
-	attribute session-limit-strategy-ref {xsd:token}?
+	attribute max-sessions-ref {xsd:token}?
 concurrency-control.attlist &=
 	## The URL a user will be redirected to if they attempt to use a session which has been "expired" because they have logged in again.
 	attribute expired-url {xsd:token}?
diff --git a/config/src/main/resources/org/springframework/security/config/spring-security-6.5.xsd b/config/src/main/resources/org/springframework/security/config/spring-security-6.5.xsd
@@ -2688,7 +2688,7 @@
                 </xs:documentation>
          </xs:annotation>
       </xs:attribute>
-      <xs:attribute name="session-limit-strategy-ref" type="xs:token">
+      <xs:attribute name="max-sessions-ref" type="xs:token">
          <xs:annotation>
             <xs:documentation>Allows injection of the SessionLimitStrategy instance used by the
                 ConcurrentSessionControlAuthenticationStrategy
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java
@@ -711,10 +711,8 @@ SecurityFilterChain filterChain(HttpSecurity http, SessionLimitStrategy sessionL
 			// @formatter:off
 			http
 					.formLogin(withDefaults())
-					.sessionManagement((sessionManagement) ->
-							sessionManagement
-									.sessionConcurrency((sessionConcurrency) ->
-											sessionConcurrency
+					.sessionManagement((sessionManagement) -> sessionManagement
+									.sessionConcurrency((sessionConcurrency) -> sessionConcurrency
 													.sessionLimitStrategy(sessionLimitStrategy)
 													.maxSessionsPreventsLogin(true)
 									)
diff --git a/config/src/test/java/org/springframework/security/config/http/HttpHeadersConfigTests.java b/config/src/test/java/org/springframework/security/config/http/HttpHeadersConfigTests.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2022 the original author or authors.
+ * Copyright 2002-2024 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,6 +24,7 @@
 import java.util.Set;
 
 import com.google.common.collect.ImmutableMap;
+import jakarta.servlet.http.HttpSession;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 
@@ -35,12 +36,17 @@
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultMatcher;
+import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
+import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.post;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.header;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.redirectedUrl;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 /**
@@ -49,6 +55,7 @@
  * @author Josh Cummings
  * @author Rafiullah Hamedy
  * @author Marcus Da Coregio
+ * @author Claudenir Freitas
  */
 @ExtendWith(SpringTestContextExtension.class)
 public class HttpHeadersConfigTests {
@@ -782,6 +789,57 @@ public void requestWhenCrossOriginPoliciesRespondsCrossOriginPolicies() throws E
 		// @formatter:on
 	}
 
+	@Test
+	public void requestWhenSessionManagementConcurrencyControlMaxSessionIsOne() throws Exception {
+		System.setProperty("security.session-management.concurrency-control.max-sessions", "1");
+		this.spring.configLocations(this.xml("DefaultsSessionManagementConcurrencyControlMaxSessions")).autowire();
+		// @formatter:off
+		MockHttpServletRequestBuilder requestBuilder = post("/login")
+				.with(csrf())
+				.param("username", "user")
+				.param("password", "password");
+		HttpSession firstSession = this.mvc.perform(requestBuilder)
+				.andExpect(status().is3xxRedirection())
+				.andExpect(redirectedUrl("/"))
+				.andReturn()
+				.getRequest()
+				.getSession(false);
+		// @formatter:on
+		assertThat(firstSession).isNotNull();
+		// @formatter:off
+		this.mvc.perform(requestBuilder)
+				.andExpect(status().isFound())
+				.andExpect(redirectedUrl("/login?error"));
+		// @formatter:on
+	}
+
+	@Test
+	public void requestWhenSessionManagementConcurrencyControlMaxSessionIsUnlimited() throws Exception {
+		System.setProperty("security.session-management.concurrency-control.max-sessions", "-1");
+		this.spring.configLocations(this.xml("DefaultsSessionManagementConcurrencyControlMaxSessions")).autowire();
+		// @formatter:off
+		MockHttpServletRequestBuilder requestBuilder = post("/login")
+				.with(csrf())
+				.param("username", "user")
+				.param("password", "password");
+		HttpSession firstSession = this.mvc.perform(requestBuilder)
+				.andExpect(status().is3xxRedirection())
+				.andExpect(redirectedUrl("/"))
+				.andReturn()
+				.getRequest()
+				.getSession(false);
+		assertThat(firstSession).isNotNull();
+		HttpSession secondSession = this.mvc.perform(requestBuilder)
+				.andExpect(status().is3xxRedirection())
+				.andExpect(redirectedUrl("/"))
+				.andReturn()
+				.getRequest()
+				.getSession(false);
+		assertThat(secondSession).isNotNull();
+		// @formatter:on
+		assertThat(firstSession.getId()).isNotEqualTo(secondSession.getId());
+	}
+
 	private static ResultMatcher includesDefaults() {
 		return includes(defaultHeaders);
 	}
diff --git a/config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsSessionManagementConcurrencyControlMaxSessions.xml b/config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-DefaultsSessionManagementConcurrencyControlMaxSessions.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2024 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<session-management>
+			<concurrency-control max-sessions="${security.session-management.concurrency-control.max-sessions}"
+								 error-if-maximum-exceeded="true"/>
+		</session-management>
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
+
+	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>
diff --git a/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc b/docs/modules/ROOT/pages/servlet/appendix/namespace/http.adoc
@@ -2168,8 +2168,8 @@ Allows injection of the ExpiredSessionStrategy instance used by the ConcurrentSe
 Maps to the `maximumSessions` property of `ConcurrentSessionControlAuthenticationStrategy`.
 Specify `-1` as the value to support unlimited sessions.
 
-[[nsa-concurrency-control-session-limit-strategy-ref]]
-* **session-limit**
+[[nsa-concurrency-control-max-sessions-ref]]
+* **max-sessions-ref**
 Allows injection of the SessionLimitStrategy instance used by the ConcurrentSessionControlAuthenticationStrategy
 
 [[nsa-concurrency-control-session-registry-alias]]
diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategy.java
@@ -131,7 +131,7 @@ public void onAuthentication(Authentication authentication, HttpServletRequest r
 	 * @return either -1 meaning unlimited, or a positive integer to limit (never zero)
 	 */
 	protected int getMaximumSessionsForThisUser(Authentication authentication) {
-		return this.sessionLimitStrategy.resolve(authentication);
+		return this.sessionLimitStrategy.apply(authentication);
 	}
 
 	/**
@@ -187,7 +187,7 @@ public void setMaximumSessions(int maximumSessions) {
 	 * unlimited sessions.
 	 * @param sessionLimitStrategy the session limit strategy
 	 */
-	public void setSessionLimitStrategy(SessionLimitStrategy sessionLimitStrategy) {
+	public void setMaximumSessions(SessionLimitStrategy sessionLimitStrategy) {
 		Assert.notNull(sessionLimitStrategy, "sessionLimitStrategy cannot be null");
 		this.sessionLimitStrategy = sessionLimitStrategy;
 	}
diff --git a/web/src/main/java/org/springframework/security/web/session/SessionLimitStrategy.java b/web/src/main/java/org/springframework/security/web/session/SessionLimitStrategy.java
@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.session;
 
+import java.util.function.Function;
+
 import org.springframework.security.core.Authentication;
 import org.springframework.util.Assert;
 
@@ -26,10 +28,7 @@
  * @author Claudenir Freitas
  * @since 6.5
  */
-@FunctionalInterface
-public interface SessionLimitStrategy {
-
-	int resolve(Authentication authentication);
+public interface SessionLimitStrategy extends Function<Authentication, Integer> {
 
 	/**
 	 * Represents unlimited sessions.
diff --git a/web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategyTests.java b/web/src/test/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategyTests.java
@@ -148,16 +148,16 @@ public void onAuthenticationWhenMaxSessionsExceededByTwoThenTwoSessionsExpired()
 	}
 
 	@Test
-	public void setSessionLimitStrategyWithNullValue() {
+	public void setMaximumSessionsWithNullValue() {
 		assertThatExceptionOfType(IllegalArgumentException.class)
-			.isThrownBy(() -> this.strategy.setSessionLimitStrategy(null))
+			.isThrownBy(() -> this.strategy.setMaximumSessions(null))
 			.withMessage("sessionLimitStrategy cannot be null");
 	}
 
 	@Test
 	public void noRegisteredSessionUsingSessionLimitStrategy() {
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean())).willReturn(Collections.emptyList());
-		this.strategy.setSessionLimitStrategy(SessionLimitStrategy.of(1));
+		this.strategy.setMaximumSessions(SessionLimitStrategy.of(1));
 		this.strategy.setExceptionIfMaximumExceeded(true);
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		// no exception
@@ -169,7 +169,7 @@ public void maxSessionsSameSessionIdUsingSessionLimitStrategy() {
 		this.request.setSession(session);
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean()))
 			.willReturn(Collections.singletonList(this.sessionInformation));
-		this.strategy.setSessionLimitStrategy(SessionLimitStrategy.of(1));
+		this.strategy.setMaximumSessions(SessionLimitStrategy.of(1));
 		this.strategy.setExceptionIfMaximumExceeded(true);
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		// no exception
@@ -179,7 +179,7 @@ public void maxSessionsSameSessionIdUsingSessionLimitStrategy() {
 	public void maxSessionsWithExceptionUsingSessionLimitStrategy() {
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean()))
 			.willReturn(Collections.singletonList(this.sessionInformation));
-		this.strategy.setSessionLimitStrategy(SessionLimitStrategy.of(1));
+		this.strategy.setMaximumSessions(SessionLimitStrategy.of(1));
 		this.strategy.setExceptionIfMaximumExceeded(true);
 		assertThatExceptionOfType(SessionAuthenticationException.class)
 			.isThrownBy(() -> this.strategy.onAuthentication(this.authentication, this.request, this.response));
@@ -189,7 +189,7 @@ public void maxSessionsWithExceptionUsingSessionLimitStrategy() {
 	public void maxSessionsExpireExistingUserUsingSessionLimitStrategy() {
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean()))
 			.willReturn(Collections.singletonList(this.sessionInformation));
-		this.strategy.setSessionLimitStrategy(SessionLimitStrategy.of(1));
+		this.strategy.setMaximumSessions(SessionLimitStrategy.of(1));
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		assertThat(this.sessionInformation.isExpired()).isTrue();
 	}
@@ -200,7 +200,7 @@ public void maxSessionsExpireLeastRecentExistingUserUsingSessionLimitStrategy()
 				new Date(1374766999999L));
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean()))
 			.willReturn(Arrays.asList(moreRecentSessionInfo, this.sessionInformation));
-		this.strategy.setSessionLimitStrategy(SessionLimitStrategy.of(2));
+		this.strategy.setMaximumSessions(SessionLimitStrategy.of(2));
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		assertThat(this.sessionInformation.isExpired()).isTrue();
 	}
@@ -213,7 +213,7 @@ public void onAuthenticationWhenMaxSessionsExceededByTwoThenTwoSessionsExpiredUs
 				"unique2", new Date(1374766134215L));
 		given(this.sessionRegistry.getAllSessions(any(), anyBoolean()))
 			.willReturn(Arrays.asList(oldestSessionInfo, secondOldestSessionInfo, this.sessionInformation));
-		this.strategy.setSessionLimitStrategy(SessionLimitStrategy.of(2));
+		this.strategy.setMaximumSessions(SessionLimitStrategy.of(2));
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		assertThat(oldestSessionInfo.isExpired()).isTrue();
 		assertThat(secondOldestSessionInfo.isExpired()).isTrue();
@@ -222,7 +222,7 @@ public void onAuthenticationWhenMaxSessionsExceededByTwoThenTwoSessionsExpiredUs
 
 	@Test
 	public void onAuthenticationWhenSessionLimitIsUnlimited() {
-		this.strategy.setSessionLimitStrategy(SessionLimitStrategy.UNLIMITED);
+		this.strategy.setMaximumSessions(SessionLimitStrategy.UNLIMITED);
 		this.strategy.onAuthentication(this.authentication, this.request, this.response);
 		verifyNoInteractions(this.sessionRegistry);
 	}
diff --git a/web/src/test/java/org/springframework/security/web/session/SessionLimitStrategyTests.java b/web/src/test/java/org/springframework/security/web/session/SessionLimitStrategyTests.java
