From 1e3106f3a2f7ddaf64326963ae3fd4d797d1138b Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Fri, 25 Mar 2022 13:01:40 -0500
Subject: [PATCH] HttpSessionSecurityContextRepository support null
 HttpServletResponse

Closes gh-11029
---
 .../context/HttpSessionSecurityContextRepository.java  | 10 ++++++----
 .../HttpSessionSecurityContextRepositoryTests.java     |  8 ++++++++
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
index 7eb18c534d..27bbe07f3e 100644
--- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java
@@ -122,10 +122,12 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo
 				this.logger.trace(LogMessage.format("Created %s", context));
 			}
 		}
-		SaveToSessionResponseWrapper wrappedResponse = new SaveToSessionResponseWrapper(response, request,
-				httpSession != null, context);
-		requestResponseHolder.setResponse(wrappedResponse);
-		requestResponseHolder.setRequest(new SaveToSessionRequestWrapper(request, wrappedResponse));
+		if (response != null) {
+			SaveToSessionResponseWrapper wrappedResponse = new SaveToSessionResponseWrapper(response, request,
+					httpSession != null, context);
+			requestResponseHolder.setResponse(wrappedResponse);
+			requestResponseHolder.setRequest(new SaveToSessionRequestWrapper(request, wrappedResponse));
+		}
 		return context;
 	}
 
diff --git a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
index e5a18bff1a..d3e6e9053b 100644
--- a/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java
@@ -133,6 +133,14 @@ public class HttpSessionSecurityContextRepositoryTests {
 		assertThat(request.getSession(false)).isNull();
 	}
 
+	@Test
+	public void loadContextWhenNullResponse() {
+		HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+		MockHttpServletRequest request = new MockHttpServletRequest();
+		HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, null);
+		assertThat(repo.loadContext(holder)).isEqualTo(SecurityContextHolder.createEmptyContext());
+	}
+
 	@Test
 	public void existingContextIsSuccessFullyLoadedFromSessionAndSavedBack() {
 		HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();