Fix import ordering and add end-to-end registry migration test

Signed-off-by: admin <adalwolfad@gmail.com>
Signed-off-by: klouds27 <adalwolf@gmail.com>

Author: klouds27

web/src/test/java/org/springframework/security/web/authentication/session/ChangeSessionIdAuthenticationStrategyTests.java

@@ -23,10 +23,12 @@
 
 import org.springframework.context.ApplicationEvent;
 import org.springframework.context.ApplicationEventPublisher;
+import org.springframework.context.event.SimpleApplicationEventMulticaster;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.session.SessionIdChangedEvent;
+import org.springframework.security.core.session.SessionRegistryImpl;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
@@ -48,7 +50,30 @@ public void applySessionFixation() {
 	}
 
 	@Test
-	public void onAuthenticationPublishesSessionIdChangedEventWithoutHttpSessionEventPublisher() {
+	public void onAuthenticationWhenRegistryHasOldSessionThenMigratesWithoutHttpSessionEventPublisher() {
+		// Reproduces gh-19007: without HttpSessionEventPublisher the old session ID used
+		// to remain as a ghost entry in the registry after session fixation rotation,
+		// causing ConcurrentSessionControlAuthenticationStrategy to count an extra session.
+		SessionRegistryImpl registry = new SessionRegistryImpl();
+		SimpleApplicationEventMulticaster multicaster = new SimpleApplicationEventMulticaster();
+		multicaster.addApplicationListener(registry);
+		ChangeSessionIdAuthenticationStrategy strategy = new ChangeSessionIdAuthenticationStrategy();
+		strategy.setApplicationEventPublisher((event) -> {
+			if (event instanceof ApplicationEvent applicationEvent) {
+				multicaster.multicastEvent(applicationEvent);
+			}
+		});
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		Object principal = "testPrincipal";
+		registry.registerNewSession(request.getSession().getId(), principal);
+		strategy.onAuthentication(mock(Authentication.class), request, new MockHttpServletResponse());
+		String newSessionId = request.getSession().getId();
+		assertThat(registry.getSessionInformation(newSessionId)).isNotNull();
+		assertThat(registry.getAllSessions(principal, false)).hasSize(1);
+	}
+
+	@Test
+	public void onAuthenticationPublishesSessionFixationAndSessionIdChangedEvents() {
 		ChangeSessionIdAuthenticationStrategy strategy = new ChangeSessionIdAuthenticationStrategy();
 		MockHttpServletRequest request = new MockHttpServletRequest();
 		String oldSessionId = request.getSession().getId();
@@ -58,9 +83,12 @@ public void onAuthenticationPublishesSessionIdChangedEventWithoutHttpSessionEven
 		ArgumentCaptor<ApplicationEvent> captor = ArgumentCaptor.forClass(ApplicationEvent.class);
 		verify(eventPublisher, times(2)).publishEvent(captor.capture());
 		List<ApplicationEvent> events = captor.getAllValues();
-		assertThat(events.get(0)).isInstanceOf(SessionFixationProtectionEvent.class);
-		assertThat(events.get(1)).isInstanceOf(SessionIdChangedEvent.class);
-		SessionIdChangedEvent idChangedEvent = (SessionIdChangedEvent) events.get(1);
+		assertThat(events).hasAtLeastOneElementOfType(SessionFixationProtectionEvent.class);
+		SessionIdChangedEvent idChangedEvent = events.stream()
+			.filter(SessionIdChangedEvent.class::isInstance)
+			.map(SessionIdChangedEvent.class::cast)
+			.findFirst()
+			.orElseThrow();
 		assertThat(idChangedEvent.getOldSessionId()).isEqualTo(oldSessionId);
 		assertThat(idChangedEvent.getNewSessionId()).isEqualTo(request.getSession().getId());
 		assertThat(idChangedEvent.getNewSessionId()).isNotEqualTo(oldSessionId);

web/src/test/java/org/springframework/security/web/session/DefaultSessionAuthenticationStrategyTests.java

@@ -26,11 +26,10 @@
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.session.SessionIdChangedEvent;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionEvent;
 import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
 
-import org.springframework.security.core.session.SessionIdChangedEvent;
-
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.times;