mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-09 11:53:30 +00:00
Change default SecurityContextRepository
Save SecurityContext in request attributes for stateless session management using RequestAttributeSecurityContextRepository. Closes gh-11026
This commit is contained in:
parent
ccac34b07c
commit
3c66ef6305
@ -47,7 +47,7 @@ import org.springframework.security.web.authentication.session.RegisterSessionAu
|
|||||||
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
|
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
|
||||||
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
|
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
|
||||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.NullSecurityContextRepository;
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.security.web.savedrequest.NullRequestCache;
|
import org.springframework.security.web.savedrequest.NullRequestCache;
|
||||||
import org.springframework.security.web.savedrequest.RequestCache;
|
import org.springframework.security.web.savedrequest.RequestCache;
|
||||||
@ -341,7 +341,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
|
|||||||
boolean stateless = isStateless();
|
boolean stateless = isStateless();
|
||||||
if (securityContextRepository == null) {
|
if (securityContextRepository == null) {
|
||||||
if (stateless) {
|
if (stateless) {
|
||||||
http.setSharedObject(SecurityContextRepository.class, new NullSecurityContextRepository());
|
http.setSharedObject(SecurityContextRepository.class, new RequestAttributeSecurityContextRepository());
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository();
|
HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository();
|
||||||
|
@ -61,7 +61,7 @@ import org.springframework.security.web.authentication.session.ConcurrentSession
|
|||||||
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
|
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
|
||||||
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
|
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
|
||||||
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.NullSecurityContextRepository;
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextHolderFilter;
|
import org.springframework.security.web.context.SecurityContextHolderFilter;
|
||||||
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
|
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
|
||||||
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
|
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
|
||||||
@ -365,7 +365,7 @@ class HttpConfigurationBuilder {
|
|||||||
if (!StringUtils.hasText(repoRef)) {
|
if (!StringUtils.hasText(repoRef)) {
|
||||||
BeanDefinitionBuilder contextRepo;
|
BeanDefinitionBuilder contextRepo;
|
||||||
if (this.sessionPolicy == SessionCreationPolicy.STATELESS) {
|
if (this.sessionPolicy == SessionCreationPolicy.STATELESS) {
|
||||||
contextRepo = BeanDefinitionBuilder.rootBeanDefinition(NullSecurityContextRepository.class);
|
contextRepo = BeanDefinitionBuilder.rootBeanDefinition(RequestAttributeSecurityContextRepository.class);
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
contextRepo = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class);
|
contextRepo = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class);
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2002-2019 the original author or authors.
|
* Copyright 2002-2022 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
@ -43,6 +43,7 @@ import org.springframework.security.web.authentication.session.ChangeSessionIdAu
|
|||||||
import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
|
import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
|
||||||
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
|
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
|
||||||
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
|
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
|
||||||
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.security.web.savedrequest.RequestCache;
|
import org.springframework.security.web.savedrequest.RequestCache;
|
||||||
import org.springframework.security.web.session.ConcurrentSessionFilter;
|
import org.springframework.security.web.session.ConcurrentSessionFilter;
|
||||||
@ -340,6 +341,22 @@ public class SessionManagementConfigurerTests {
|
|||||||
this.mvc.perform(get("/")).andExpect(content().string("encoded"));
|
this.mvc.perform(get("/")).andExpect(content().string("encoded"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void loginWhenSessionCreationPolicyStatelessThenSecurityContextIsAvailableInRequestAttributes()
|
||||||
|
throws Exception {
|
||||||
|
this.spring.register(HttpBasicSessionCreationPolicyStatelessConfig.class).autowire();
|
||||||
|
// @formatter:off
|
||||||
|
MvcResult mvcResult = this.mvc.perform(get("/").with(httpBasic("user", "password")))
|
||||||
|
.andExpect(status().isOk())
|
||||||
|
.andReturn();
|
||||||
|
// @formatter:on
|
||||||
|
HttpSession session = mvcResult.getRequest().getSession(false);
|
||||||
|
assertThat(session).isNull();
|
||||||
|
SecurityContext securityContext = (SecurityContext) mvcResult.getRequest()
|
||||||
|
.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME);
|
||||||
|
assertThat(securityContext).isNotNull();
|
||||||
|
}
|
||||||
|
|
||||||
@Configuration
|
@Configuration
|
||||||
@EnableWebSecurity
|
@EnableWebSecurity
|
||||||
static class SessionManagementRequestCacheConfig extends WebSecurityConfigurerAdapter {
|
static class SessionManagementRequestCacheConfig extends WebSecurityConfigurerAdapter {
|
||||||
@ -659,6 +676,38 @@ public class SessionManagementConfigurerTests {
|
|||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Configuration
|
||||||
|
@EnableWebSecurity
|
||||||
|
static class HttpBasicSessionCreationPolicyStatelessConfig extends WebSecurityConfigurerAdapter {
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(HttpSecurity http) throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
http
|
||||||
|
.sessionManagement((sessionManagement) ->
|
||||||
|
sessionManagement
|
||||||
|
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
|
||||||
|
)
|
||||||
|
.httpBasic(withDefaults());
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
|
||||||
|
// @formatter:off
|
||||||
|
auth
|
||||||
|
.inMemoryAuthentication()
|
||||||
|
.withUser(PasswordEncodedUser.user());
|
||||||
|
// @formatter:on
|
||||||
|
}
|
||||||
|
|
||||||
|
@Bean
|
||||||
|
EncodesUrls encodesUrls() {
|
||||||
|
return new EncodesUrls();
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
@RestController
|
@RestController
|
||||||
static class EncodesUrls {
|
static class EncodesUrls {
|
||||||
|
|
||||||
|
@ -41,7 +41,7 @@ import org.springframework.security.oauth2.server.resource.web.DefaultBearerToke
|
|||||||
import org.springframework.security.web.AuthenticationEntryPoint;
|
import org.springframework.security.web.AuthenticationEntryPoint;
|
||||||
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
|
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
|
||||||
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
|
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
|
||||||
import org.springframework.security.web.context.NullSecurityContextRepository;
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.web.filter.OncePerRequestFilter;
|
import org.springframework.web.filter.OncePerRequestFilter;
|
||||||
@ -80,7 +80,7 @@ public final class BearerTokenAuthenticationFilter extends OncePerRequestFilter
|
|||||||
|
|
||||||
private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
|
private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
|
||||||
|
|
||||||
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository();
|
private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Construct a {@code BearerTokenAuthenticationFilter} using the provided parameter(s)
|
* Construct a {@code BearerTokenAuthenticationFilter} using the provided parameter(s)
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
/*
|
/*
|
||||||
* Copyright 2002-2021 the original author or authors.
|
* Copyright 2002-2022 the original author or authors.
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
* you may not use this file except in compliance with the License.
|
* you may not use this file except in compliance with the License.
|
||||||
@ -44,6 +44,7 @@ import org.springframework.security.oauth2.server.resource.authentication.Bearer
|
|||||||
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
|
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
|
||||||
import org.springframework.security.web.AuthenticationEntryPoint;
|
import org.springframework.security.web.AuthenticationEntryPoint;
|
||||||
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
|
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
|
||||||
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
@ -105,6 +106,8 @@ public class BearerTokenAuthenticationFilterTests {
|
|||||||
.forClass(BearerTokenAuthenticationToken.class);
|
.forClass(BearerTokenAuthenticationToken.class);
|
||||||
verify(this.authenticationManager).authenticate(captor.capture());
|
verify(this.authenticationManager).authenticate(captor.capture());
|
||||||
assertThat(captor.getValue().getPrincipal()).isEqualTo("token");
|
assertThat(captor.getValue().getPrincipal()).isEqualTo("token");
|
||||||
|
assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -138,6 +141,8 @@ public class BearerTokenAuthenticationFilterTests {
|
|||||||
.forClass(BearerTokenAuthenticationToken.class);
|
.forClass(BearerTokenAuthenticationToken.class);
|
||||||
verify(this.authenticationManager).authenticate(captor.capture());
|
verify(this.authenticationManager).authenticate(captor.capture());
|
||||||
assertThat(captor.getValue().getPrincipal()).isEqualTo("token");
|
assertThat(captor.getValue().getPrincipal()).isEqualTo("token");
|
||||||
|
assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -43,7 +43,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
|
|||||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||||
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
|
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
|
||||||
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
|
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
|
||||||
import org.springframework.security.web.context.NullSecurityContextRepository;
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||||
@ -140,7 +140,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
|
|||||||
|
|
||||||
private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
|
private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
|
||||||
|
|
||||||
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository();
|
private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param defaultFilterProcessesUrl the default value for <tt>filterProcessesUrl</tt>.
|
* @param defaultFilterProcessesUrl the default value for <tt>filterProcessesUrl</tt>.
|
||||||
|
@ -33,7 +33,7 @@ import org.springframework.security.core.AuthenticationException;
|
|||||||
import org.springframework.security.core.context.SecurityContext;
|
import org.springframework.security.core.context.SecurityContext;
|
||||||
import org.springframework.security.core.context.SecurityContextHolder;
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||||
import org.springframework.security.web.context.NullSecurityContextRepository;
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
import org.springframework.security.web.util.matcher.AnyRequestMatcher;
|
||||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||||
@ -80,7 +80,7 @@ public class AuthenticationFilter extends OncePerRequestFilter {
|
|||||||
private AuthenticationFailureHandler failureHandler = new AuthenticationEntryPointFailureHandler(
|
private AuthenticationFailureHandler failureHandler = new AuthenticationEntryPointFailureHandler(
|
||||||
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
|
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
|
||||||
|
|
||||||
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository();
|
private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
|
||||||
|
|
||||||
private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;
|
private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;
|
||||||
|
|
||||||
|
@ -41,7 +41,7 @@ import org.springframework.security.web.WebAttributes;
|
|||||||
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
|
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
|
||||||
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
|
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
|
||||||
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
|
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
|
||||||
import org.springframework.security.web.context.NullSecurityContextRepository;
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
@ -110,7 +110,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
|
|||||||
|
|
||||||
private RequestMatcher requiresAuthenticationRequestMatcher = new PreAuthenticatedProcessingRequestMatcher();
|
private RequestMatcher requiresAuthenticationRequestMatcher = new PreAuthenticatedProcessingRequestMatcher();
|
||||||
|
|
||||||
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository();
|
private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Check whether all required properties have been set.
|
* Check whether all required properties have been set.
|
||||||
|
@ -37,7 +37,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
|
|||||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||||
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
|
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
|
||||||
import org.springframework.security.web.authentication.RememberMeServices;
|
import org.springframework.security.web.authentication.RememberMeServices;
|
||||||
import org.springframework.security.web.context.NullSecurityContextRepository;
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.web.filter.GenericFilterBean;
|
import org.springframework.web.filter.GenericFilterBean;
|
||||||
@ -79,7 +79,7 @@ public class RememberMeAuthenticationFilter extends GenericFilterBean implements
|
|||||||
|
|
||||||
private RememberMeServices rememberMeServices;
|
private RememberMeServices rememberMeServices;
|
||||||
|
|
||||||
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository();
|
private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
|
||||||
|
|
||||||
public RememberMeAuthenticationFilter(AuthenticationManager authenticationManager,
|
public RememberMeAuthenticationFilter(AuthenticationManager authenticationManager,
|
||||||
RememberMeServices rememberMeServices) {
|
RememberMeServices rememberMeServices) {
|
||||||
|
@ -37,7 +37,7 @@ import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
|||||||
import org.springframework.security.web.AuthenticationEntryPoint;
|
import org.springframework.security.web.AuthenticationEntryPoint;
|
||||||
import org.springframework.security.web.authentication.NullRememberMeServices;
|
import org.springframework.security.web.authentication.NullRememberMeServices;
|
||||||
import org.springframework.security.web.authentication.RememberMeServices;
|
import org.springframework.security.web.authentication.RememberMeServices;
|
||||||
import org.springframework.security.web.context.NullSecurityContextRepository;
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.web.filter.OncePerRequestFilter;
|
import org.springframework.web.filter.OncePerRequestFilter;
|
||||||
@ -109,7 +109,7 @@ public class BasicAuthenticationFilter extends OncePerRequestFilter {
|
|||||||
|
|
||||||
private BasicAuthenticationConverter authenticationConverter = new BasicAuthenticationConverter();
|
private BasicAuthenticationConverter authenticationConverter = new BasicAuthenticationConverter();
|
||||||
|
|
||||||
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository();
|
private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Creates an instance which will authenticate against the supplied
|
* Creates an instance which will authenticate against the supplied
|
||||||
|
@ -49,7 +49,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
|
|||||||
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
import org.springframework.security.core.userdetails.UsernameNotFoundException;
|
||||||
import org.springframework.security.core.userdetails.cache.NullUserCache;
|
import org.springframework.security.core.userdetails.cache.NullUserCache;
|
||||||
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
|
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
|
||||||
import org.springframework.security.web.context.NullSecurityContextRepository;
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.util.Assert;
|
import org.springframework.util.Assert;
|
||||||
import org.springframework.util.StringUtils;
|
import org.springframework.util.StringUtils;
|
||||||
@ -111,7 +111,7 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
|
|||||||
|
|
||||||
private boolean createAuthenticatedToken = false;
|
private boolean createAuthenticatedToken = false;
|
||||||
|
|
||||||
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository();
|
private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void afterPropertiesSet() {
|
public void afterPropertiesSet() {
|
||||||
|
@ -44,6 +44,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
|
|||||||
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesTests;
|
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesTests;
|
||||||
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
|
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
|
||||||
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
|
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
|
||||||
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.security.web.firewall.DefaultHttpFirewall;
|
import org.springframework.security.web.firewall.DefaultHttpFirewall;
|
||||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||||
@ -188,6 +189,8 @@ public class AbstractAuthenticationProcessingFilterTests {
|
|||||||
assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp");
|
assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp");
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test");
|
assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test");
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
// Should still have the same session
|
// Should still have the same session
|
||||||
assertThat(request.getSession()).isEqualTo(sessionPreAuth);
|
assertThat(request.getSession()).isEqualTo(sessionPreAuth);
|
||||||
}
|
}
|
||||||
@ -215,6 +218,8 @@ public class AbstractAuthenticationProcessingFilterTests {
|
|||||||
assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp");
|
assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp");
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test");
|
assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test");
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
// Should still have the same session
|
// Should still have the same session
|
||||||
assertThat(request.getSession()).isEqualTo(sessionPreAuth);
|
assertThat(request.getSession()).isEqualTo(sessionPreAuth);
|
||||||
}
|
}
|
||||||
@ -244,6 +249,8 @@ public class AbstractAuthenticationProcessingFilterTests {
|
|||||||
assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp");
|
assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp");
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test");
|
assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test");
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
// Should still have the same session
|
// Should still have the same session
|
||||||
assertThat(request.getSession()).isEqualTo(sessionPreAuth);
|
assertThat(request.getSession()).isEqualTo(sessionPreAuth);
|
||||||
}
|
}
|
||||||
@ -323,6 +330,8 @@ public class AbstractAuthenticationProcessingFilterTests {
|
|||||||
verify(successHandler).onAuthenticationSuccess(any(HttpServletRequest.class), any(HttpServletResponse.class),
|
verify(successHandler).onAuthenticationSuccess(any(HttpServletRequest.class), any(HttpServletResponse.class),
|
||||||
any(Authentication.class));
|
any(Authentication.class));
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -42,6 +42,7 @@ import org.springframework.security.core.context.SecurityContext;
|
|||||||
import org.springframework.security.core.context.SecurityContextHolder;
|
import org.springframework.security.core.context.SecurityContextHolder;
|
||||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||||
import org.springframework.security.core.context.SecurityContextImpl;
|
import org.springframework.security.core.context.SecurityContextImpl;
|
||||||
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.security.web.util.matcher.RequestMatcher;
|
import org.springframework.security.web.util.matcher.RequestMatcher;
|
||||||
|
|
||||||
@ -128,6 +129,8 @@ public class AuthenticationFilterTests {
|
|||||||
verify(this.authenticationManager).authenticate(any(Authentication.class));
|
verify(this.authenticationManager).authenticate(any(Authentication.class));
|
||||||
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
|
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -165,6 +168,8 @@ public class AuthenticationFilterTests {
|
|||||||
verify(this.authenticationManager).authenticate(any(Authentication.class));
|
verify(this.authenticationManager).authenticate(any(Authentication.class));
|
||||||
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
|
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -228,6 +233,8 @@ public class AuthenticationFilterTests {
|
|||||||
verify(this.successHandler).onAuthenticationSuccess(any(), any(), any(), eq(authentication));
|
verify(this.successHandler).onAuthenticationSuccess(any(), any(), any(), eq(authentication));
|
||||||
verifyNoMoreInteractions(this.failureHandler);
|
verifyNoMoreInteractions(this.failureHandler);
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -40,6 +40,7 @@ import org.springframework.security.core.userdetails.User;
|
|||||||
import org.springframework.security.web.WebAttributes;
|
import org.springframework.security.web.WebAttributes;
|
||||||
import org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler;
|
import org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler;
|
||||||
import org.springframework.security.web.authentication.ForwardAuthenticationSuccessHandler;
|
import org.springframework.security.web.authentication.ForwardAuthenticationSuccessHandler;
|
||||||
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
|
||||||
|
|
||||||
@ -211,6 +212,8 @@ public class AbstractPreAuthenticatedProcessingFilterTests {
|
|||||||
filter.doFilter(request, response, chain);
|
filter.doFilter(request, response, chain);
|
||||||
verify(am).authenticate(any(PreAuthenticatedAuthenticationToken.class));
|
verify(am).authenticate(any(PreAuthenticatedAuthenticationToken.class));
|
||||||
assertThat(response.getForwardedUrl()).isEqualTo("/forwardUrl");
|
assertThat(response.getForwardedUrl()).isEqualTo("/forwardUrl");
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -35,6 +35,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
|
|||||||
import org.springframework.security.web.authentication.NullRememberMeServices;
|
import org.springframework.security.web.authentication.NullRememberMeServices;
|
||||||
import org.springframework.security.web.authentication.RememberMeServices;
|
import org.springframework.security.web.authentication.RememberMeServices;
|
||||||
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
|
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
|
||||||
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
|
|
||||||
import static org.assertj.core.api.Assertions.assertThat;
|
import static org.assertj.core.api.Assertions.assertThat;
|
||||||
@ -109,6 +110,8 @@ public class RememberMeAuthenticationFilterTests {
|
|||||||
filter.doFilter(request, new MockHttpServletResponse(), fc);
|
filter.doFilter(request, new MockHttpServletResponse(), fc);
|
||||||
// Ensure filter setup with our remembered authentication object
|
// Ensure filter setup with our remembered authentication object
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(this.remembered);
|
assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(this.remembered);
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
verify(fc).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
|
verify(fc).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -149,6 +152,8 @@ public class RememberMeAuthenticationFilterTests {
|
|||||||
request.setRequestURI("x");
|
request.setRequestURI("x");
|
||||||
filter.doFilter(request, response, fc);
|
filter.doFilter(request, response, fc);
|
||||||
assertThat(response.getRedirectedUrl()).isEqualTo("/target");
|
assertThat(response.getRedirectedUrl()).isEqualTo("/target");
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
// Should return after success handler is invoked, so chain should not proceed
|
// Should return after success handler is invoked, so chain should not proceed
|
||||||
verifyNoMoreInteractions(fc);
|
verifyNoMoreInteractions(fc);
|
||||||
}
|
}
|
||||||
|
@ -41,6 +41,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
|
|||||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||||
import org.springframework.security.test.web.CodecTestUtils;
|
import org.springframework.security.test.web.CodecTestUtils;
|
||||||
import org.springframework.security.web.authentication.WebAuthenticationDetails;
|
import org.springframework.security.web.authentication.WebAuthenticationDetails;
|
||||||
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.web.util.WebUtils;
|
import org.springframework.web.util.WebUtils;
|
||||||
|
|
||||||
@ -342,6 +343,8 @@ public class BasicAuthenticationFilterTests {
|
|||||||
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
|
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication().getName()).isEqualTo("rod");
|
assertThat(SecurityContextHolder.getContext().getAuthentication().getName()).isEqualTo("rod");
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication().getCredentials()).isEqualTo("äöü");
|
assertThat(SecurityContextHolder.getContext().getAuthentication().getCredentials()).isEqualTo("äöü");
|
||||||
|
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
@ -41,6 +41,7 @@ import org.springframework.security.core.userdetails.UserDetails;
|
|||||||
import org.springframework.security.core.userdetails.UserDetailsService;
|
import org.springframework.security.core.userdetails.UserDetailsService;
|
||||||
import org.springframework.security.core.userdetails.cache.NullUserCache;
|
import org.springframework.security.core.userdetails.cache.NullUserCache;
|
||||||
import org.springframework.security.test.web.CodecTestUtils;
|
import org.springframework.security.test.web.CodecTestUtils;
|
||||||
|
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
|
||||||
import org.springframework.security.web.context.SecurityContextRepository;
|
import org.springframework.security.web.context.SecurityContextRepository;
|
||||||
import org.springframework.util.StringUtils;
|
import org.springframework.util.StringUtils;
|
||||||
|
|
||||||
@ -258,6 +259,8 @@ public class DigestAuthenticationFilterTests {
|
|||||||
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
|
||||||
assertThat(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername())
|
assertThat(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername())
|
||||||
.isEqualTo(USERNAME);
|
.isEqualTo(USERNAME);
|
||||||
|
assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -271,6 +274,8 @@ public class DigestAuthenticationFilterTests {
|
|||||||
assertThat(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername())
|
assertThat(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername())
|
||||||
.isEqualTo(USERNAME);
|
.isEqualTo(USERNAME);
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isFalse();
|
assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isFalse();
|
||||||
|
assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
@ -287,6 +292,8 @@ public class DigestAuthenticationFilterTests {
|
|||||||
assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isTrue();
|
assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isTrue();
|
||||||
assertThat(SecurityContextHolder.getContext().getAuthentication().getAuthorities())
|
assertThat(SecurityContextHolder.getContext().getAuthentication().getAuthorities())
|
||||||
.isEqualTo(AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"));
|
.isEqualTo(AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"));
|
||||||
|
assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
|
||||||
|
.isNotNull();
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
Loading…
x
Reference in New Issue
Block a user