Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Support removing tokens from a session. #2414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

[Security] Support removing tokens from a session. #2414

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
dabff0e
[Security] Support removing tokens from a session.
dpb587 Oct 15, 2011
ab9caa0
[Security] Check for request's session before attempting writes.
dpb587 Oct 25, 2011
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions src/Symfony/Component/Security/Http/Firewall/ContextListener.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -93,19 +93,19 @@ public function onKernelResponse(FilterResponseEvent $event)
return;
}

if (null === $token = $this->context->getToken()) {
return;
if (null !== $this->logger) {
$this->logger->debug('Write SecurityContext in the session');
}

if (null === $token || $token instanceof AnonymousToken) {
if (null === $session = $event->getRequest()->getSession()) {
return;
}

if (null !== $this->logger) {
$this->logger->debug('Write SecurityContext in the session');
if ((null === $token = $this->context->getToken()) || ($token instanceof AnonymousToken)) {
$session->remove('_security_'.$this->contextKey);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why would you want to remove the token if it is anonymous? I think we just need to remove it when it's set to null.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Historically an AnonymousToken has not been persisted to session and is always created by AnonymousAuthenticationListener, when necessary. Seems good to keep that check and behavior.

} else {
$session->set('_security_'.$this->contextKey, serialize($token));
}

$event->getRequest()->getSession()->set('_security_'.$this->contextKey, serialize($token));
}

/**
Expand Down
107 changes: 107 additions & 0 deletions tests/Symfony/Tests/Component/Security/Http/Firewall/ContextListenerTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
<?php

namespace Symfony\Test\Component\Security\Http\Firewall;

use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpFoundation\Session;
use Symfony\Component\HttpFoundation\SessionStorage\ArraySessionStorage;
use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
use Symfony\Component\Security\Core\SecurityContext;
use Symfony\Component\Security\Http\Firewall\ContextListener;

class ContextListenerTest extends \PHPUnit_Framework_TestCase
{
protected function setUp()
{
$this->securityContext = new SecurityContext(
$this->getMock('Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface'),
$this->getMock('Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface')
);
}

protected function tearDown()
{
unset($this->securityContext);
}

public function testOnKernelResponseWillAddSession()
{
$session = $this->runSessionOnKernelResponse(
new UsernamePasswordToken('test1', 'pass1', 'phpunit'),
null
);

$token = unserialize($session->get('_security_session'));
$this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $token);
$this->assertEquals('test1', $token->getUsername());
}

public function testOnKernelResponseWillReplaceSession()
{
$session = $this->runSessionOnKernelResponse(
new UsernamePasswordToken('test1', 'pass1', 'phpunit'),
'C:10:"serialized"'
);

$token = unserialize($session->get('_security_session'));
$this->assertInstanceOf('Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken', $token);
$this->assertEquals('test1', $token->getUsername());
}

public function testOnKernelResponseWillRemoveSession()
{
$session = $this->runSessionOnKernelResponse(
null,
'C:10:"serialized"'
);

$this->assertFalse($session->has('_security_session'));
}

protected function runSessionOnKernelResponse($newToken, $original = null)
{
$session = new Session(new ArraySessionStorage());

if ($original !== null) {
$session->set('_security_session', $original);
}

$this->securityContext->setToken($newToken);

$request = new Request();
$request->setSession($session);

$event = new FilterResponseEvent(
$this->getMock('Symfony\Component\HttpKernel\HttpKernelInterface'),
$request,
HttpKernelInterface::MASTER_REQUEST,
new Response()
);

$listener = new ContextListener($this->securityContext, array(), 'session');
$listener->onKernelResponse($event);

return $session;
}

public function testOnKernelResponseWithoutSession()
{
$this->securityContext->setToken(new UsernamePasswordToken('test1', 'pass1', 'phpunit'));
$request = new Request();

$event = new FilterResponseEvent(
$this->getMock('Symfony\Component\HttpKernel\HttpKernelInterface'),
$request,
HttpKernelInterface::MASTER_REQUEST,
new Response()
);

$listener = new ContextListener($this->securityContext, array(), 'session');
$listener->onKernelResponse($event);

$this->assertFalse($request->hasSession());
}
}