Cwikius-Spring
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Default to DelegatingSecurityContextRepository 

Closes gh-12023
Closes gh-12049
This commit is contained in:
Steve Riesenberg 2022-10-17 20:04:43 -05:00
parent e238b721bb
commit 33b492df54
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
5 changed files with 60 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java
View File

@ -21,7 +21,9 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.context.DelegatingSecurityContextRepository;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextHolderFilter;
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.context.SecurityContextRepository;
@ -96,7 +98,8 @@ public final class SecurityContextConfigurer<H extends HttpSecurityBuilder<H>>
SecurityContextRepository securityContextRepository = getBuilder()
.getSharedObject(SecurityContextRepository.class);
if (securityContextRepository == null) {
securityContextRepository = new HttpSessionSecurityContextRepository();
securityContextRepository = new DelegatingSecurityContextRepository(
new RequestAttributeSecurityContextRepository(), new HttpSessionSecurityContextRepository());
}
return securityContextRepository;
}

46
config/src/test/java/org/springframework/security/config/TestDeferredSecurityContext.java Normal file
View File

@ -0,0 +1,46 @@
/*
* Copyright 2002-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.security.config;
import org.springframework.security.core.context.DeferredSecurityContext;
import org.springframework.security.core.context.SecurityContext;
/**
* @author Steve Riesenberg
*/
public class TestDeferredSecurityContext implements DeferredSecurityContext {
private SecurityContext securityContext;
private boolean isGenerated;
public TestDeferredSecurityContext(SecurityContext securityContext, boolean isGenerated) {
this.securityContext = securityContext;
this.isGenerated = isGenerated;
}
@Override
public SecurityContext get() {
return this.securityContext;
}
@Override
public boolean isGenerated() {
return this.isGenerated;
}
}

7
config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java
View File

@ -28,6 +28,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.TestDeferredSecurityContext;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.builders.TestHttpSecurity;
@ -83,10 +84,10 @@ public class SecurityContextConfigurerTests {
@Test
public void securityContextWhenInvokedTwiceThenUsesOriginalSecurityContextRepository() throws Exception {
this.spring.register(DuplicateDoesNotOverrideConfig.class).autowire();
given(DuplicateDoesNotOverrideConfig.SCR.loadContext(any(HttpServletRequest.class)))
.willReturn(() -> mock(SecurityContext.class));
given(DuplicateDoesNotOverrideConfig.SCR.loadDeferredContext(any(HttpServletRequest.class)))
.willReturn(new TestDeferredSecurityContext(mock(SecurityContext.class), false));
this.mvc.perform(get("/"));
verify(DuplicateDoesNotOverrideConfig.SCR).loadContext(any(HttpServletRequest.class));
verify(DuplicateDoesNotOverrideConfig.SCR).loadDeferredContext(any(HttpServletRequest.class));
}
// SEC-2932

4
config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java
View File

@ -27,6 +27,7 @@ import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.mock.web.MockHttpSession;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.config.TestDeferredSecurityContext;
import org.springframework.security.config.annotation.ObjectPostProcessor;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@ -103,7 +104,8 @@ public class SessionManagementConfigurerTests {
public void sessionManagementWhenConfiguredThenDoesNotOverrideSecurityContextRepository() throws Exception {
SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO = mock(SecurityContextRepository.class);
given(SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO
.loadContext(any(HttpServletRequest.class))).willReturn(() -> mock(SecurityContext.class));
.loadDeferredContext(any(HttpServletRequest.class)))
.willReturn(new TestDeferredSecurityContext(mock(SecurityContext.class), false));
this.spring.register(SessionManagementSecurityContextRepositoryConfig.class).autowire();
this.mvc.perform(get("/"));
}

28
config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
View File

@ -68,6 +68,7 @@ import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authentication.jaas.AuthorityGranter;
import org.springframework.security.config.TestDeferredSecurityContext;
import org.springframework.security.config.test.SpringTestContext;
import org.springframework.security.config.test.SpringTestContextExtension;
import org.springframework.security.core.Authentication;
@ -75,7 +76,6 @@ import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.DeferredSecurityContext;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
@ -473,7 +473,8 @@ public class MiscHttpConfigTests {
this.spring.configLocations(xml("SecurityContextRepository")).autowire();
SecurityContextRepository repository = this.spring.getContext().getBean(SecurityContextRepository.class);
SecurityContext context = new SecurityContextImpl(new TestingAuthenticationToken("user", "password"));
given(repository.loadContext(any(HttpServletRequest.class))).willReturn(() -> context);
given(repository.loadDeferredContext(any(HttpServletRequest.class)))
.willReturn(new TestDeferredSecurityContext(context, false));
// @formatter:off
MvcResult result = this.mvc.perform(get("/protected").with(userCredentials()))
.andExpect(status().isOk())
@ -1039,27 +1040,4 @@ public class MiscHttpConfigTests {
}
static class TestDeferredSecurityContext implements DeferredSecurityContext {
private SecurityContext securityContext;
private boolean isGenerated;
TestDeferredSecurityContext(SecurityContext securityContext, boolean isGenerated) {
this.securityContext = securityContext;
this.isGenerated = isGenerated;
}
@Override
public SecurityContext get() {
return this.securityContext;
}
@Override
public boolean isGenerated() {
return this.isGenerated;
}
}
}