SEC-3108: DigestAuthenticationFilter should use SecurityContextHolder.createEmptyContext()

web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java

@@ -38,6 +38,7 @@ import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.SpringSecurityMessageSource;
 import org.springframework.security.crypto.codec.Base64;
+import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.UserCache;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -224,8 +225,10 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements
 					+ "' with response: '" + digestAuth.getResponse() + "'");
 		}
 
-		SecurityContextHolder.getContext().setAuthentication(
-				createSuccessfulAuthentication(request, user));
+		Authentication authentication = createSuccessfulAuthentication(request, user);
+		SecurityContext context = SecurityContextHolder.createEmptyContext();
+		context.setAuthentication(authentication);
+		SecurityContextHolder.setContext(context);
 
 		chain.doFilter(request, response);
 	}

web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java

@@ -15,11 +15,20 @@
 
 package org.springframework.security.web.authentication.www;
 
-import static org.junit.Assert.*;
-import static org.mockito.Mockito.*;
+import static org.fest.assertions.Assertions.*;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.times;
+import static org.mockito.Mockito.verify;
 
 import java.io.IOException;
-import java.util.*;
+import java.util.Map;
+
 import javax.servlet.Filter;
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
@@ -32,7 +41,9 @@ import org.junit.Before;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.mock.web.MockHttpServletResponse;
+import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
@@ -473,4 +484,27 @@ public class DigestAuthenticationFilterTests {
 		assertNull(SecurityContextHolder.getContext().getAuthentication());
 		assertEquals(401, response.getStatus());
 	}
+
+	// SEC-3108
+	@Test
+	public void authenticationCreatesEmptyContext() throws Exception {
+		SecurityContext existingContext = SecurityContextHolder.createEmptyContext();
+		TestingAuthenticationToken existingAuthentication = new TestingAuthenticationToken("existingauthenitcated", "pass", "ROLE_USER");
+		existingContext.setAuthentication(existingAuthentication);
+
+		SecurityContextHolder.setContext(existingContext);
+
+		String responseDigest = DigestAuthUtils.generateDigest(false, USERNAME, REALM,
+				PASSWORD, "GET", REQUEST_URI, QOP, NONCE, NC, CNONCE);
+
+		request.addHeader(
+				"Authorization",
+				createAuthorizationHeader(USERNAME, REALM, NONCE, REQUEST_URI,
+						responseDigest, QOP, NC, CNONCE));
+
+		filter.setCreateAuthenticatedToken(true);
+		executeFilterInContainerSimulator(filter, request, true);
+
+		assertThat(existingAuthentication).isSameAs(existingContext.getAuthentication());
+	}
 }