Change default SecurityContextRepository

Save SecurityContext in request attributes for stateless session
management using RequestAttributeSecurityContextRepository.

Closes gh-11026
This commit is contained in:
Steve Riesenberg 2022-09-21 11:21:19 -05:00
parent ccac34b07c
commit 3c66ef6305
No known key found for this signature in database
GPG Key ID: 5F311AB48A55D521
17 changed files with 108 additions and 20 deletions

View File

@ -47,7 +47,7 @@ import org.springframework.security.web.authentication.session.RegisterSessionAu
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy; import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.savedrequest.NullRequestCache; import org.springframework.security.web.savedrequest.NullRequestCache;
import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.security.web.savedrequest.RequestCache;
@ -341,7 +341,7 @@ public final class SessionManagementConfigurer<H extends HttpSecurityBuilder<H>>
boolean stateless = isStateless(); boolean stateless = isStateless();
if (securityContextRepository == null) { if (securityContextRepository == null) {
if (stateless) { if (stateless) {
http.setSharedObject(SecurityContextRepository.class, new NullSecurityContextRepository()); http.setSharedObject(SecurityContextRepository.class, new RequestAttributeSecurityContextRepository());
} }
else { else {
HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository(); HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository();

View File

@ -61,7 +61,7 @@ import org.springframework.security.web.authentication.session.ConcurrentSession
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy; import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextHolderFilter; import org.springframework.security.web.context.SecurityContextHolderFilter;
import org.springframework.security.web.context.SecurityContextPersistenceFilter; import org.springframework.security.web.context.SecurityContextPersistenceFilter;
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
@ -365,7 +365,7 @@ class HttpConfigurationBuilder {
if (!StringUtils.hasText(repoRef)) { if (!StringUtils.hasText(repoRef)) {
BeanDefinitionBuilder contextRepo; BeanDefinitionBuilder contextRepo;
if (this.sessionPolicy == SessionCreationPolicy.STATELESS) { if (this.sessionPolicy == SessionCreationPolicy.STATELESS) {
contextRepo = BeanDefinitionBuilder.rootBeanDefinition(NullSecurityContextRepository.class); contextRepo = BeanDefinitionBuilder.rootBeanDefinition(RequestAttributeSecurityContextRepository.class);
} }
else { else {
contextRepo = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class); contextRepo = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class);

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2019 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -43,6 +43,7 @@ import org.springframework.security.web.authentication.session.ChangeSessionIdAu
import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy; import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.security.web.savedrequest.RequestCache;
import org.springframework.security.web.session.ConcurrentSessionFilter; import org.springframework.security.web.session.ConcurrentSessionFilter;
@ -340,6 +341,22 @@ public class SessionManagementConfigurerTests {
this.mvc.perform(get("/")).andExpect(content().string("encoded")); this.mvc.perform(get("/")).andExpect(content().string("encoded"));
} }
@Test
public void loginWhenSessionCreationPolicyStatelessThenSecurityContextIsAvailableInRequestAttributes()
throws Exception {
this.spring.register(HttpBasicSessionCreationPolicyStatelessConfig.class).autowire();
// @formatter:off
MvcResult mvcResult = this.mvc.perform(get("/").with(httpBasic("user", "password")))
.andExpect(status().isOk())
.andReturn();
// @formatter:on
HttpSession session = mvcResult.getRequest().getSession(false);
assertThat(session).isNull();
SecurityContext securityContext = (SecurityContext) mvcResult.getRequest()
.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME);
assertThat(securityContext).isNotNull();
}
@Configuration @Configuration
@EnableWebSecurity @EnableWebSecurity
static class SessionManagementRequestCacheConfig extends WebSecurityConfigurerAdapter { static class SessionManagementRequestCacheConfig extends WebSecurityConfigurerAdapter {
@ -659,6 +676,38 @@ public class SessionManagementConfigurerTests {
} }
@Configuration
@EnableWebSecurity
static class HttpBasicSessionCreationPolicyStatelessConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
// @formatter:off
http
.sessionManagement((sessionManagement) ->
sessionManagement
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
)
.httpBasic(withDefaults());
// @formatter:on
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
// @formatter:off
auth
.inMemoryAuthentication()
.withUser(PasswordEncodedUser.user());
// @formatter:on
}
@Bean
EncodesUrls encodesUrls() {
return new EncodesUrls();
}
}
@RestController @RestController
static class EncodesUrls { static class EncodesUrls {

View File

@ -41,7 +41,7 @@ import org.springframework.security.oauth2.server.resource.web.DefaultBearerToke
import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.filter.OncePerRequestFilter;
@ -80,7 +80,7 @@ public final class BearerTokenAuthenticationFilter extends OncePerRequestFilter
private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource(); private AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource = new WebAuthenticationDetailsSource();
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
/** /**
* Construct a {@code BearerTokenAuthenticationFilter} using the provided parameter(s) * Construct a {@code BearerTokenAuthenticationFilter} using the provided parameter(s)

View File

@ -1,5 +1,5 @@
/* /*
* Copyright 2002-2021 the original author or authors. * Copyright 2002-2022 the original author or authors.
* *
* Licensed under the Apache License, Version 2.0 (the "License"); * Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License. * you may not use this file except in compliance with the License.
@ -44,6 +44,7 @@ import org.springframework.security.oauth2.server.resource.authentication.Bearer
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver; import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
@ -105,6 +106,8 @@ public class BearerTokenAuthenticationFilterTests {
.forClass(BearerTokenAuthenticationToken.class); .forClass(BearerTokenAuthenticationToken.class);
verify(this.authenticationManager).authenticate(captor.capture()); verify(this.authenticationManager).authenticate(captor.capture());
assertThat(captor.getValue().getPrincipal()).isEqualTo("token"); assertThat(captor.getValue().getPrincipal()).isEqualTo("token");
assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test
@ -138,6 +141,8 @@ public class BearerTokenAuthenticationFilterTests {
.forClass(BearerTokenAuthenticationToken.class); .forClass(BearerTokenAuthenticationToken.class);
verify(this.authenticationManager).authenticate(captor.capture()); verify(this.authenticationManager).authenticate(captor.capture());
assertThat(captor.getValue().getPrincipal()).isEqualTo("token"); assertThat(captor.getValue().getPrincipal()).isEqualTo("token");
assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test

View File

@ -43,7 +43,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy; import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
@ -140,7 +140,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt
private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler(); private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler();
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
/** /**
* @param defaultFilterProcessesUrl the default value for <tt>filterProcessesUrl</tt>. * @param defaultFilterProcessesUrl the default value for <tt>filterProcessesUrl</tt>.

View File

@ -33,7 +33,7 @@ import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.AnyRequestMatcher; import org.springframework.security.web.util.matcher.AnyRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
@ -80,7 +80,7 @@ public class AuthenticationFilter extends OncePerRequestFilter {
private AuthenticationFailureHandler failureHandler = new AuthenticationEntryPointFailureHandler( private AuthenticationFailureHandler failureHandler = new AuthenticationEntryPointFailureHandler(
new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)); new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver; private AuthenticationManagerResolver<HttpServletRequest> authenticationManagerResolver;

View File

@ -41,7 +41,7 @@ import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
import org.springframework.util.Assert; import org.springframework.util.Assert;
@ -110,7 +110,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi
private RequestMatcher requiresAuthenticationRequestMatcher = new PreAuthenticatedProcessingRequestMatcher(); private RequestMatcher requiresAuthenticationRequestMatcher = new PreAuthenticatedProcessingRequestMatcher();
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
/** /**
* Check whether all required properties have been set. * Check whether all required properties have been set.

View File

@ -37,7 +37,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean; import org.springframework.web.filter.GenericFilterBean;
@ -79,7 +79,7 @@ public class RememberMeAuthenticationFilter extends GenericFilterBean implements
private RememberMeServices rememberMeServices; private RememberMeServices rememberMeServices;
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
public RememberMeAuthenticationFilter(AuthenticationManager authenticationManager, public RememberMeAuthenticationFilter(AuthenticationManager authenticationManager,
RememberMeServices rememberMeServices) { RememberMeServices rememberMeServices) {

View File

@ -37,7 +37,7 @@ import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.authentication.NullRememberMeServices; import org.springframework.security.web.authentication.NullRememberMeServices;
import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.web.filter.OncePerRequestFilter; import org.springframework.web.filter.OncePerRequestFilter;
@ -109,7 +109,7 @@ public class BasicAuthenticationFilter extends OncePerRequestFilter {
private BasicAuthenticationConverter authenticationConverter = new BasicAuthenticationConverter(); private BasicAuthenticationConverter authenticationConverter = new BasicAuthenticationConverter();
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
/** /**
* Creates an instance which will authenticate against the supplied * Creates an instance which will authenticate against the supplied

View File

@ -49,7 +49,7 @@ import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.core.userdetails.cache.NullUserCache; import org.springframework.security.core.userdetails.cache.NullUserCache;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.security.web.context.NullSecurityContextRepository; import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.util.Assert; import org.springframework.util.Assert;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
@ -111,7 +111,7 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes
private boolean createAuthenticatedToken = false; private boolean createAuthenticatedToken = false;
private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
@Override @Override
public void afterPropertiesSet() { public void afterPropertiesSet() {

View File

@ -44,6 +44,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesTests; import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesTests;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices; import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.firewall.DefaultHttpFirewall; import org.springframework.security.web.firewall.DefaultHttpFirewall;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@ -188,6 +189,8 @@ public class AbstractAuthenticationProcessingFilterTests {
assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp"); assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp");
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test"); assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test");
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
// Should still have the same session // Should still have the same session
assertThat(request.getSession()).isEqualTo(sessionPreAuth); assertThat(request.getSession()).isEqualTo(sessionPreAuth);
} }
@ -215,6 +218,8 @@ public class AbstractAuthenticationProcessingFilterTests {
assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp"); assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp");
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test"); assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test");
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
// Should still have the same session // Should still have the same session
assertThat(request.getSession()).isEqualTo(sessionPreAuth); assertThat(request.getSession()).isEqualTo(sessionPreAuth);
} }
@ -244,6 +249,8 @@ public class AbstractAuthenticationProcessingFilterTests {
assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp"); assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp");
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test"); assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test");
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
// Should still have the same session // Should still have the same session
assertThat(request.getSession()).isEqualTo(sessionPreAuth); assertThat(request.getSession()).isEqualTo(sessionPreAuth);
} }
@ -323,6 +330,8 @@ public class AbstractAuthenticationProcessingFilterTests {
verify(successHandler).onAuthenticationSuccess(any(HttpServletRequest.class), any(HttpServletResponse.class), verify(successHandler).onAuthenticationSuccess(any(HttpServletRequest.class), any(HttpServletResponse.class),
any(Authentication.class)); any(Authentication.class));
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test

View File

@ -42,6 +42,7 @@ import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.core.context.SecurityContextImpl; import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher;
@ -128,6 +129,8 @@ public class AuthenticationFilterTests {
verify(this.authenticationManager).authenticate(any(Authentication.class)); verify(this.authenticationManager).authenticate(any(Authentication.class));
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class)); verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test
@ -165,6 +168,8 @@ public class AuthenticationFilterTests {
verify(this.authenticationManager).authenticate(any(Authentication.class)); verify(this.authenticationManager).authenticate(any(Authentication.class));
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class)); verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test
@ -228,6 +233,8 @@ public class AuthenticationFilterTests {
verify(this.successHandler).onAuthenticationSuccess(any(), any(), any(), eq(authentication)); verify(this.successHandler).onAuthenticationSuccess(any(), any(), any(), eq(authentication));
verifyNoMoreInteractions(this.failureHandler); verifyNoMoreInteractions(this.failureHandler);
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test

View File

@ -40,6 +40,7 @@ import org.springframework.security.core.userdetails.User;
import org.springframework.security.web.WebAttributes; import org.springframework.security.web.WebAttributes;
import org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler; import org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler;
import org.springframework.security.web.authentication.ForwardAuthenticationSuccessHandler; import org.springframework.security.web.authentication.ForwardAuthenticationSuccessHandler;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
@ -211,6 +212,8 @@ public class AbstractPreAuthenticatedProcessingFilterTests {
filter.doFilter(request, response, chain); filter.doFilter(request, response, chain);
verify(am).authenticate(any(PreAuthenticatedAuthenticationToken.class)); verify(am).authenticate(any(PreAuthenticatedAuthenticationToken.class));
assertThat(response.getForwardedUrl()).isEqualTo("/forwardUrl"); assertThat(response.getForwardedUrl()).isEqualTo("/forwardUrl");
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test

View File

@ -35,6 +35,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.NullRememberMeServices; import org.springframework.security.web.authentication.NullRememberMeServices;
import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.RememberMeServices;
import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThat;
@ -109,6 +110,8 @@ public class RememberMeAuthenticationFilterTests {
filter.doFilter(request, new MockHttpServletResponse(), fc); filter.doFilter(request, new MockHttpServletResponse(), fc);
// Ensure filter setup with our remembered authentication object // Ensure filter setup with our remembered authentication object
assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(this.remembered); assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(this.remembered);
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
verify(fc).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class)); verify(fc).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class));
} }
@ -149,6 +152,8 @@ public class RememberMeAuthenticationFilterTests {
request.setRequestURI("x"); request.setRequestURI("x");
filter.doFilter(request, response, fc); filter.doFilter(request, response, fc);
assertThat(response.getRedirectedUrl()).isEqualTo("/target"); assertThat(response.getRedirectedUrl()).isEqualTo("/target");
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
// Should return after success handler is invoked, so chain should not proceed // Should return after success handler is invoked, so chain should not proceed
verifyNoMoreInteractions(fc); verifyNoMoreInteractions(fc);
} }

View File

@ -41,6 +41,7 @@ import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.test.web.CodecTestUtils; import org.springframework.security.test.web.CodecTestUtils;
import org.springframework.security.web.authentication.WebAuthenticationDetails; import org.springframework.security.web.authentication.WebAuthenticationDetails;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.web.util.WebUtils; import org.springframework.web.util.WebUtils;
@ -342,6 +343,8 @@ public class BasicAuthenticationFilterTests {
verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class)); verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class));
assertThat(SecurityContextHolder.getContext().getAuthentication().getName()).isEqualTo("rod"); assertThat(SecurityContextHolder.getContext().getAuthentication().getName()).isEqualTo("rod");
assertThat(SecurityContextHolder.getContext().getAuthentication().getCredentials()).isEqualTo("äöü"); assertThat(SecurityContextHolder.getContext().getAuthentication().getCredentials()).isEqualTo("äöü");
assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test

View File

@ -41,6 +41,7 @@ import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.cache.NullUserCache; import org.springframework.security.core.userdetails.cache.NullUserCache;
import org.springframework.security.test.web.CodecTestUtils; import org.springframework.security.test.web.CodecTestUtils;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.util.StringUtils; import org.springframework.util.StringUtils;
@ -258,6 +259,8 @@ public class DigestAuthenticationFilterTests {
assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull();
assertThat(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername()) assertThat(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername())
.isEqualTo(USERNAME); .isEqualTo(USERNAME);
assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test
@ -271,6 +274,8 @@ public class DigestAuthenticationFilterTests {
assertThat(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername()) assertThat(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername())
.isEqualTo(USERNAME); .isEqualTo(USERNAME);
assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isFalse(); assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isFalse();
assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test
@ -287,6 +292,8 @@ public class DigestAuthenticationFilterTests {
assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isTrue(); assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isTrue();
assertThat(SecurityContextHolder.getContext().getAuthentication().getAuthorities()) assertThat(SecurityContextHolder.getContext().getAuthentication().getAuthorities())
.isEqualTo(AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO")); .isEqualTo(AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO"));
assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME))
.isNotNull();
} }
@Test @Test