From 64542b40598af41253790d7b32dfe10f2818adef Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Tue, 18 Apr 2023 12:18:18 -0600 Subject: [PATCH] Polish X509 SecurityContextRepository Like Basic and Bearer authentication, X509 is stateless by default. As such, it is better to not pick up the global SecurityContextRepository bean. The better fix is to change the default from HttpSessionSecurityContextRepository to RequestAttributeSecurityContextRepository. Issue gh-13008 --- .../annotation/web/configurers/X509Configurer.java | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java index f545b08126..a6426a74b4 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java @@ -17,7 +17,6 @@ package org.springframework.security.config.annotation.web.configurers; import jakarta.servlet.http.HttpServletRequest; - import org.springframework.beans.factory.NoSuchBeanDefinitionException; import org.springframework.context.ApplicationContext; import org.springframework.security.authentication.AuthenticationDetailsSource; @@ -36,7 +35,7 @@ import org.springframework.security.web.authentication.preauth.PreAuthenticatedG import org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor; import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter; import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor; -import org.springframework.security.web.context.SecurityContextRepository; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; /** * Adds X509 based pre authentication to an application. Since validating the certificate @@ -193,13 +192,7 @@ public final class X509Configurer> if (this.authenticationDetailsSource != null) { this.x509AuthenticationFilter.setAuthenticationDetailsSource(this.authenticationDetailsSource); } - SecurityContextConfigurer securityContextConfigurer = http - .getConfigurer(SecurityContextConfigurer.class); - if (securityContextConfigurer != null && securityContextConfigurer.isRequireExplicitSave()) { - SecurityContextRepository securityContextRepository = securityContextConfigurer - .getSecurityContextRepository(); - this.x509AuthenticationFilter.setSecurityContextRepository(securityContextRepository); - } + this.x509AuthenticationFilter.setSecurityContextRepository(new RequestAttributeSecurityContextRepository()); this.x509AuthenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); this.x509AuthenticationFilter = postProcess(this.x509AuthenticationFilter); }