Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Servlet 2.5 Support for Session Fixation #6259

Closed
jzheaux opened this issue Dec 7, 2018 · 2 comments
Closed

Remove Servlet 2.5 Support for Session Fixation #6259

jzheaux opened this issue Dec 7, 2018 · 2 comments
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
5.2.0.M1

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Dec 7, 2018

Related to #6220

There are a couple of different strategies available to users for performing session fixation. One such, ChangeSessionIdSessionAuthenticationStrategy, requires a method only available on HttpServletRequest since Servlet 3.1.

Because of this, its constructor checks for the existence of that method and throws an exception otherwise.

Now that the Spring Framework baseline is Servlet 3.1, that check is no longer necessary.

Also, the corresponding try/catch in
SessionManagementConfigurer and the corresponding conditional in HttpConfigurationBuilder are no longer necessary.

Of course, this also means that tests that confirm this behavior can also be removed.
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Dec 7, 2018
@jzheaux jzheaux added this to the 5.2.0.M1 milestone Dec 7, 2018
@jzheaux jzheaux mentioned this issue Dec 7, 2018
Closed
7 tasks
@raphaelDL
Copy link
Contributor

raphaelDL commented Dec 7, 2018
edited
Loading

I will take this I'm taking this

@rwinch
Copy link
Member

rwinch commented Dec 7, 2018

Thanks the issue is yours @raphaelDL!

@raphaelDL raphaelDL mentioned this issue Dec 17, 2018
Closed
raphaelDL added a commit to raphaelDL/spring-security that referenced this issue Dec 20, 2018
@raphaelDL
Remove Servlet 2.5 Support for Session Fixation
1982fb5 
This commit removes existence validation of a method only available in Servlet 3.1.
Spring Framework baseline is Servlet 3.1 so is not longer required.

Fixes: spring-projectsgh-6259
jzheaux added a commit that referenced this issue Dec 21, 2018
@jzheaux
Polish tests and javadoc
7a55af2 
When using AssertJ, it's easy to commit the following error

assertThat(some boolean condition)

The above actually does nothing. It at least needs to be

assertThat(some boolean condition).isTrue()

This commit refines some assertions that were missing a verify
condition.

Also, one Javadoc was just a little bit confusing, so this
clarifies it.

Issue: gh-6259
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0.M1
Development

No branches or pull requests
3 participants
@rwinch @jzheaux @raphaelDL