WebFlux HTTP Basic & Form Login Sessions

By default both HTTP Basic and form log are enabled. Now HTTP Session will
not be used for HTTP Basic, but will be for form log in.

config/src/main/java/org/springframework/security/config/annotation/web/reactive/HttpSecurityConfiguration.java

@@ -28,7 +28,6 @@ import org.springframework.security.config.web.server.HttpSecurity;
 import org.springframework.security.core.userdetails.UserDetailsRepository;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.reactive.result.method.annotation.AuthenticationPrincipalArgumentResolver;
-import org.springframework.security.web.server.context.WebSessionSecurityContextRepository;
 import org.springframework.web.reactive.config.WebFluxConfigurer;
 import org.springframework.web.reactive.result.method.annotation.ArgumentResolverConfigurer;
 
@@ -69,7 +68,6 @@ public class HttpSecurityConfiguration implements WebFluxConfigurer {
 	public HttpSecurity httpSecurity() {
 		return http()
 			.authenticationManager(authenticationManager())
-			.securityContextRepository(new WebSessionSecurityContextRepository())
 			.headers().and()
 			.httpBasic().and()
 			.formLogin().and();

config/src/main/java/org/springframework/security/config/web/server/HttpSecurity.java

@@ -206,16 +206,9 @@ public class HttpSecurity {
 	}
 
 	private SecurityContextRepositoryWebFilter securityContextRepositoryWebFilter() {
-		SecurityContextRepository respository = getSecurityContextRepository();
-		return respository == null ? null :
-			new SecurityContextRepositoryWebFilter(respository);
-	}
-
-	private SecurityContextRepository getSecurityContextRepository() {
-		if(this.securityContextRepository == null && this.formLogin != null) {
-			this.securityContextRepository = this.formLogin.securityContextRepository;
-		}
-		return this.securityContextRepository;
+		SecurityContextRepository repository = this.securityContextRepository;
+		return repository == null ? null :
+			new SecurityContextRepositoryWebFilter(repository);
 	}
 
 	private HttpSecurity() {}

config/src/test/java/org/springframework/security/config/annotation/web/reactive/EnableWebFluxSecurityTests.java

@@ -40,6 +40,7 @@ import org.springframework.security.web.server.SecurityWebFilterChain;
 import org.springframework.security.web.server.WebFilterChainFilter;
 import org.springframework.security.web.server.util.matcher.PathPatternParserServerWebExchangeMatcher;
 import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.reactive.server.FluxExchangeResult;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import org.springframework.util.LinkedMultiValueMap;
 import org.springframework.util.MultiValueMap;
@@ -75,6 +76,21 @@ public class EnableWebFluxSecurityTests {
 				.expectBody().isEmpty();
 		}
 
+		@Test
+		public void authenticateWhenBasicThenNoSession() {
+			WebTestClient client = WebTestClientBuilder
+				.bindToWebFilters(this.springSecurityFilterChain)
+				.filter(basicAuthentication())
+				.build();
+
+			FluxExchangeResult<String> result = client.get()
+				.attributes(basicAuthenticationCredentials("user", "password")).exchange()
+				.expectStatus()
+				.isOk()
+				.returnResult(String.class);
+			result.assertWithDiagnostics(() -> assertThat(result.getResponseCookies().isEmpty()));
+		}
+
 		@Test
 		public void defaultPopulatesReactorContext() {
 			Principal currentPrincipal = new TestingAuthenticationToken("user", "password", "ROLE_USER");

samples/javaconfig/hellowebflux/src/integration-test/java/sample/HelloWebfluxApplicationITests.java

@@ -22,11 +22,9 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.ResponseCookie;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.context.junit4.SpringRunner;
-import org.springframework.test.web.reactive.server.ExchangeResult;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
 
@@ -89,28 +87,6 @@ public class HelloWebfluxApplicationITests {
 			.expectBody().isEmpty();
 	}
 
-	@Test
-	public void sessionWorks() throws Exception {
-		ExchangeResult result = this.rest
-			.mutate()
-			.filter(userCredentials())
-			.build()
-			.get()
-			.uri("/")
-			.exchange()
-			.expectStatus().isOk()
-			.returnResult(String.class);
-
-		ResponseCookie session = result.getResponseCookies().getFirst("SESSION");
-
-		this.rest
-			.get()
-			.uri("/")
-			.cookie(session.getName(), session.getValue())
-			.exchange()
-			.expectStatus().isOk();
-	}
-
 	private ExchangeFilterFunction userCredentials() {
 		return basicAuthentication("user","user");
 	}

samples/javaconfig/hellowebflux/src/test/java/sample/HelloWebfluxApplicationTests.java

@@ -23,11 +23,9 @@ import org.junit.runner.RunWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
-import org.springframework.http.ResponseCookie;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringRunner;
-import org.springframework.test.web.reactive.server.ExchangeResult;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
 
@@ -91,28 +89,6 @@ public class HelloWebfluxApplicationTests {
 			.expectBody().isEmpty();
 	}
 
-	@Test
-	public void sessionWorks() throws Exception {
-		ExchangeResult result = this.rest
-				.mutate()
-				.filter(userCredentials())
-				.build()
-				.get()
-				.uri("/")
-				.exchange()
-				.expectStatus().isOk()
-				.returnResult(String.class);
-
-		ResponseCookie session = result.getResponseCookies().getFirst("SESSION");
-
-		this.rest
-			.get()
-			.uri("/")
-			.cookie(session.getName(), session.getValue())
-			.exchange()
-			.expectStatus().isOk();
-	}
-
 	@Test
 	public void mockSupportWhenValidMockUserThenOk() throws Exception {
 		this.rest

samples/javaconfig/hellowebfluxfn/src/integration-test/java/sample/HelloWebfluxFnApplicationITests.java

@@ -22,11 +22,9 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 
 import org.springframework.beans.factory.annotation.Value;
-import org.springframework.http.ResponseCookie;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.context.junit4.SpringRunner;
-import org.springframework.test.web.reactive.server.ExchangeResult;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
 
@@ -88,28 +86,6 @@ public class HelloWebfluxFnApplicationITests {
 			.expectBody().isEmpty();
 	}
 
-	@Test
-	public void sessionWorks() throws Exception {
-		ExchangeResult result = this.rest
-			.mutate()
-			.filter(userCredentials())
-			.build()
-			.get()
-			.uri("/")
-			.exchange()
-			.expectStatus().isOk()
-			.returnResult(String.class);
-
-		ResponseCookie session = result.getResponseCookies().getFirst("SESSION");
-
-		this.rest
-			.get()
-			.uri("/")
-			.cookie(session.getName(), session.getValue())
-			.exchange()
-			.expectStatus().isOk();
-	}
-
 	private ExchangeFilterFunction userCredentials() {
 		return basicAuthentication("user","user");
 	}

samples/javaconfig/hellowebfluxfn/src/test/java/sample/HelloWebfluxFnApplicationTests.java

@@ -22,12 +22,10 @@ import org.junit.Test;
 import org.junit.runner.RunWith;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.http.ResponseCookie;
 import org.springframework.security.web.server.WebFilterChainFilter;
 import org.springframework.test.context.ActiveProfiles;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringRunner;
-import org.springframework.test.web.reactive.server.ExchangeResult;
 import org.springframework.test.web.reactive.server.WebTestClient;
 import org.springframework.web.reactive.function.client.ExchangeFilterFunction;
 import org.springframework.web.reactive.function.server.RouterFunction;
@@ -95,28 +93,6 @@ public class HelloWebfluxFnApplicationTests {
 			.expectBody().isEmpty();
 	}
 
-	@Test
-	public void sessionWorks() throws Exception {
-		ExchangeResult result = this.rest
-			.mutate()
-			.filter(userCredentials())
-			.build()
-			.get()
-			.uri("/")
-			.exchange()
-			.expectStatus().isOk()
-			.returnResult(String.class);
-
-		ResponseCookie session = result.getResponseCookies().getFirst("SESSION");
-
-		this.rest
-			.get()
-			.uri("/")
-			.cookie(session.getName(), session.getValue())
-			.exchange()
-			.expectStatus().isOk();
-	}
-
 	@Test
 	public void mockSupportWhenValidMockUserThenOk() throws Exception {
 		this.rest