RequestAttributeSecurityContextRepository never null SecurityContext

Previously loadContext(HttpServletRequest) could return a Supplier that returned a null SecurityContext This commit ensures that null is never returned by the Supplier by returning SecurityContextHolder.createEmptyContext() instead. Closes gh-11606
2022-08-08 13:52:12 -05:00 · 2022-08-08 13:52:12 -05:00 · 269c711a64
parent 99f768bab9
commit 269c711a64
2 changed files with 27 additions and 4 deletions
--- a/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java
+++ b/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java
@ -66,18 +66,26 @@ public final class RequestAttributeSecurityContextRepository implements Security

 	@Override
 	public boolean containsContext(HttpServletRequest request) {
-		return loadContext(request).get() != null;
+		return getContext(request) != null;
 	}

 	@Override
 	public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
-		SecurityContext context = loadContext(requestResponseHolder.getRequest()).get();
-		return (context != null) ? context : SecurityContextHolder.createEmptyContext();
+		return getContextOrEmpty(requestResponseHolder.getRequest());
 	}

 	@Override
 	public Supplier<SecurityContext> loadContext(HttpServletRequest request) {
-		return () -> (SecurityContext) request.getAttribute(this.requestAttributeName);
+		return () -> getContextOrEmpty(request);
+	}
+
+	private SecurityContext getContextOrEmpty(HttpServletRequest request) {
+		SecurityContext context = getContext(request);
+		return (context != null) ? context : SecurityContextHolder.createEmptyContext();
+	}
+
+	private SecurityContext getContext(HttpServletRequest request) {
+		return (SecurityContext) request.getAttribute(this.requestAttributeName);
 	}

 	@Override
--- a/web/src/test/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepositoryTests.java
+++ b/web/src/test/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepositoryTests.java
@ -16,6 +16,8 @@

 package org.springframework.security.web.context;

+import java.util.function.Supplier;
+
 import org.junit.jupiter.api.Test;

 import org.springframework.mock.web.MockHttpServletRequest;
@ -67,4 +69,17 @@ class RequestAttributeSecurityContextRepositoryTests {
 		assertThat(this.repository.containsContext(this.request)).isTrue();
 	}

+	@Test
+	void loadDeferredContextWhenNotPresentThenEmptyContext() {
+		Supplier<SecurityContext> deferredContext = this.repository.loadContext(this.request);
+		assertThat(deferredContext.get()).isEqualTo(SecurityContextHolder.createEmptyContext());
+	}
+
+	@Test
+	void loadContextWhenNotPresentThenEmptyContext() {
+		SecurityContext context = this.repository
+				.loadContext(new HttpRequestResponseHolder(this.request, this.response));
+		assertThat(context).isEqualTo(SecurityContextHolder.createEmptyContext());
+	}
+
 }