diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java index 34d9131e40..4f394a59d5 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java @@ -400,6 +400,7 @@ public final class SessionManagementConfigurer> concurrentSessionFilter.setLogoutHandlers(logoutHandlers); } } + concurrentSessionFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); return concurrentSessionFilter; } diff --git a/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java b/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java index 57d5928ec0..23e377f648 100644 --- a/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java +++ b/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -30,6 +30,7 @@ import javax.servlet.http.HttpSession; import org.springframework.core.log.LogMessage; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.session.SessionInformation; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.web.RedirectStrategy; @@ -67,6 +68,9 @@ import org.springframework.web.filter.GenericFilterBean; */ public class ConcurrentSessionFilter extends GenericFilterBean { + private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder + .getContextHolderStrategy(); + private final SessionRegistry sessionRegistry; private String expiredUrl; @@ -162,11 +166,22 @@ public class ConcurrentSessionFilter extends GenericFilterBean { } private void doLogout(HttpServletRequest request, HttpServletResponse response) { - Authentication auth = SecurityContextHolder.getContext().getAuthentication(); + Authentication auth = this.securityContextHolderStrategy.getContext().getAuthentication(); this.handlers.logout(request, response, auth); } + /** + * Sets the {@link SecurityContextHolderStrategy} to use. The default action is to use + * the {@link SecurityContextHolderStrategy} stored in {@link SecurityContextHolder}. + * + * @since 5.8 + */ + public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) { + Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null"); + this.securityContextHolderStrategy = securityContextHolderStrategy; + } + public void setLogoutHandlers(LogoutHandler[] handlers) { this.handlers = new CompositeLogoutHandler(handlers); } diff --git a/web/src/test/java/org/springframework/security/MockSecurityContextHolderStrategy.java b/web/src/test/java/org/springframework/security/MockSecurityContextHolderStrategy.java index 71db79c6ea..468f2ba659 100644 --- a/web/src/test/java/org/springframework/security/MockSecurityContextHolderStrategy.java +++ b/web/src/test/java/org/springframework/security/MockSecurityContextHolderStrategy.java @@ -16,6 +16,7 @@ package org.springframework.security; +import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextImpl; @@ -24,6 +25,14 @@ public class MockSecurityContextHolderStrategy implements SecurityContextHolderS private SecurityContext mock; + public MockSecurityContextHolderStrategy() { + + } + + public MockSecurityContextHolderStrategy(Authentication authentication) { + this.mock = new SecurityContextImpl(authentication); + } + @Override public void clearContext() { this.mock = null; diff --git a/web/src/test/java/org/springframework/security/web/concurrent/ConcurrentSessionFilterTests.java b/web/src/test/java/org/springframework/security/web/concurrent/ConcurrentSessionFilterTests.java index a29ef1cab7..42b4a49085 100644 --- a/web/src/test/java/org/springframework/security/web/concurrent/ConcurrentSessionFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/concurrent/ConcurrentSessionFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -29,7 +29,10 @@ import org.springframework.mock.web.MockFilterChain; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.mock.web.MockHttpServletResponse; import org.springframework.mock.web.MockHttpSession; +import org.springframework.security.MockSecurityContextHolderStrategy; +import org.springframework.security.authentication.TestingAuthenticationToken; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.session.SessionInformation; import org.springframework.security.core.session.SessionRegistry; import org.springframework.security.core.session.SessionRegistryImpl; @@ -47,6 +50,7 @@ import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.ArgumentMatchers.eq; import static org.mockito.BDDMockito.given; import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.spy; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyZeroInteractions; @@ -267,6 +271,25 @@ public class ConcurrentSessionFilterTests { verify(handler).logout(eq(request), eq(response), any()); } + @Test + public void doFilterWhenCustomSecurityContextHolderStrategyThenHandlersUsed() throws Exception { + MockHttpServletRequest request = new MockHttpServletRequest(); + MockHttpSession session = new MockHttpSession(); + request.setSession(session); + MockHttpServletResponse response = new MockHttpServletResponse(); + SessionRegistry registry = mock(SessionRegistry.class); + SessionInformation information = new SessionInformation("user", "sessionId", + new Date(System.currentTimeMillis() - 1000)); + information.expireNow(); + given(registry.getSessionInformation(anyString())).willReturn(information); + ConcurrentSessionFilter filter = new ConcurrentSessionFilter(registry); + SecurityContextHolderStrategy securityContextHolderStrategy = spy( + new MockSecurityContextHolderStrategy(new TestingAuthenticationToken("user", "password"))); + filter.setSecurityContextHolderStrategy(securityContextHolderStrategy); + filter.doFilter(request, response, new MockFilterChain()); + verify(securityContextHolderStrategy).getContext(); + } + @Test public void setLogoutHandlersWhenNullThenThrowsException() { ConcurrentSessionFilter filter = new ConcurrentSessionFilter(new SessionRegistryImpl());