Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-10-24 19:28:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix securityContextRepository() initialization in oauth2Login() DSL

Browse Source 
Closes gh-17502

Signed-off-by: Marcus Hert da Coregio <marcusdacoregio@gmail.com>
This commit is contained in:
Marcus Hert da Coregio 2025-07-09 19:20:01 -03:00 committed by Joe Grandja
parent b81d894cc8
commit 2a38de48b8
2 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurer.java
View File

@ -87,6 +87,7 @@ import org.springframework.security.web.authentication.LoginUrlAuthenticationEnt
import org.springframework.security.web.authentication.session.SessionAuthenticationException; import org.springframework.security.web.authentication.session.SessionAuthenticationException;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter; import org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.csrf.CsrfToken; import org.springframework.security.web.csrf.CsrfToken;
import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.util.matcher.AndRequestMatcher; import org.springframework.security.web.util.matcher.AndRequestMatcher;
@ -177,6 +178,8 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
private OAuth2AuthorizedClientRepository authorizedClientRepository; private OAuth2AuthorizedClientRepository authorizedClientRepository;
private SecurityContextRepository securityContextRepository;
/** /**
* Sets the repository of client registrations. * Sets the repository of client registrations.
* @param clientRegistrationRepository the repository of client registrations * @param clientRegistrationRepository the repository of client registrations
@ -230,6 +233,17 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
return this; return this;
} }
/**
* Sets the {@link SecurityContextRepository} to use.
* @param securityContextRepository the {@link SecurityContextRepository} to use
* @return the {@link OAuth2LoginConfigurer} for further configuration
*/
@Override
public OAuth2LoginConfigurer<B> securityContextRepository(SecurityContextRepository securityContextRepository) {
this.securityContextRepository = securityContextRepository;
return this;
}
/** /**
* Sets the registry for managing the OIDC client-provider session link * Sets the registry for managing the OIDC client-provider session link
* @param oidcSessionRegistry the {@link OidcSessionRegistry} to use * @param oidcSessionRegistry the {@link OidcSessionRegistry} to use
@ -348,6 +362,9 @@ public final class OAuth2LoginConfigurer<B extends HttpSecurityBuilder<B>>
OAuth2LoginAuthenticationFilter authenticationFilter = new OAuth2LoginAuthenticationFilter( OAuth2LoginAuthenticationFilter authenticationFilter = new OAuth2LoginAuthenticationFilter(
this.getClientRegistrationRepository(), this.getAuthorizedClientRepository(), this.loginProcessingUrl); this.getClientRegistrationRepository(), this.getAuthorizedClientRepository(), this.loginProcessingUrl);
authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
if (this.securityContextRepository != null) {
authenticationFilter.setSecurityContextRepository(this.securityContextRepository);
}
this.setAuthenticationFilter(authenticationFilter); this.setAuthenticationFilter(authenticationFilter);
super.loginProcessingUrl(this.loginProcessingUrl); super.loginProcessingUrl(this.loginProcessingUrl);
if (this.loginPage != null) { if (this.loginPage != null) {

26
config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2LoginConfigurerTests.java
View File

@ -101,6 +101,7 @@ import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.HttpStatusEntryPoint; import org.springframework.security.web.authentication.HttpStatusEntryPoint;
import org.springframework.security.web.context.HttpRequestResponseHolder; import org.springframework.security.web.context.HttpRequestResponseHolder;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.NullSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.session.HttpSessionDestroyedEvent; import org.springframework.security.web.session.HttpSessionDestroyedEvent;
import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher; import org.springframework.security.web.util.matcher.RequestHeaderRequestMatcher;
@ -110,6 +111,7 @@ import org.springframework.web.context.support.AnnotationConfigWebApplicationCon
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.assertj.core.api.Assertions.assertThatNoException;
import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString; import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.BDDMockito.given; import static org.mockito.BDDMockito.given;
@ -696,6 +698,12 @@ public class OAuth2LoginConfigurerTests {
verifyNoInteractions(clientRegistrationRepository, authorizedClientRepository); verifyNoInteractions(clientRegistrationRepository, authorizedClientRepository);
} }
// gh-16623
@Test
public void oauth2LoginWithCustomSecurityContextRepository() {
assertThatNoException().isThrownBy(() -> loadConfig(OAuth2LoginConfigSecurityContextRepository.class));
}
private void loadConfig(Class<?>... configs) { private void loadConfig(Class<?>... configs) {
AnnotationConfigWebApplicationContext applicationContext = new AnnotationConfigWebApplicationContext(); AnnotationConfigWebApplicationContext applicationContext = new AnnotationConfigWebApplicationContext();
applicationContext.register(configs); applicationContext.register(configs);
@ -944,6 +952,24 @@ public class OAuth2LoginConfigurerTests {
} }
@Configuration
@EnableWebSecurity
static class OAuth2LoginConfigSecurityContextRepository extends CommonSecurityFilterChainConfig {
@Bean
SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
// @formatter:off
http
.oauth2Login((login) -> login
.clientRegistrationRepository(
new InMemoryClientRegistrationRepository(GOOGLE_CLIENT_REGISTRATION))
.securityContextRepository(new NullSecurityContextRepository()));
// @formatter:on
return super.configureFilterChain(http);
}
}
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
static class OAuth2LoginConfigCustomAuthorizationRequestResolver extends CommonSecurityFilterChainConfig { static class OAuth2LoginConfigCustomAuthorizationRequestResolver extends CommonSecurityFilterChainConfig {