Fix import ordering and add end-to-end registry migration test

Author: klouds27

web/src/test/java/org/springframework/security/web/authentication/session/ChangeSessionIdAuthenticationStrategyTests.java

@@ -23,10 +23,12 @@
 
 import org.springframework.context.ApplicationEvent;
 import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.event.SimpleApplicationEventMulticaster;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.session.SessionIdChangedEvent;
+import org.springframework.security.core.session.SessionRegistryImpl;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
@@ -47,6 +49,29 @@ public void applySessionFixation() {
 		assertThat(request.getSession().getId()).isNotEqualTo(id);
 	}
 
+	@Test
+	public void onAuthenticationWhenRegistryHasOldSessionThenMigratesWithoutHttpSessionEventPublisher() {
+		// Reproduces gh-19007: without HttpSessionEventPublisher the old session ID used
+		// to remain as a ghost entry in the registry after session fixation rotation,
+		// causing ConcurrentSessionControlAuthenticationStrategy to count an extra session.
+		SessionRegistryImpl registry = new SessionRegistryImpl();
+		SimpleApplicationEventMulticaster multicaster = new SimpleApplicationEventMulticaster();
+		multicaster.addApplicationListener(registry);
+		ChangeSessionIdAuthenticationStrategy strategy = new ChangeSessionIdAuthenticationStrategy();
+		strategy.setApplicationEventPublisher((event) -> {
+			if (event instanceof ApplicationEvent applicationEvent) {
+				multicaster.multicastEvent(applicationEvent);
+			}
+		});
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		Object principal = "testPrincipal";
+		registry.registerNewSession(request.getSession().getId(), principal);
+		strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
+		String newSessionId = request.getSession().getId();
+		assertThat(registry.getSessionInformation(newSessionId)).isNotNull();
+		assertThat(registry.getAllSessions(principal, false)).hasSize(1);
+	}
+
 	@Test
 	public void onAuthenticationPublishesSessionIdChangedEventWithoutHttpSessionEventPublisher() {
 		ChangeSessionIdAuthenticationStrategy strategy = new ChangeSessionIdAuthenticationStrategy();

web/src/test/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategyTests.java

@@ -26,11 +26,10 @@
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.SessionIdChangedEvent;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionEvent;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 
-import org.springframework.security.core.session.SessionIdChangedEvent;
-
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;