From 6e6d472da435026d3d98a7d08a1e42ce6c10bb41 Mon Sep 17 00:00:00 2001
From: Rob Winch <rwinch@users.noreply.github.com>
Date: Wed, 13 Apr 2022 10:45:00 -0500
Subject: [PATCH] Add test support for SecurityContextHolderFilter

Issue gh-9635
---
 .../test/web/support/WebTestUtils.java        |  4 +++
 .../test/web/support/WebTestUtilsTests.java   | 30 +++++++++++++++++++
 2 files changed, 34 insertions(+)

diff --git a/test/src/main/java/org/springframework/security/test/web/support/WebTestUtils.java b/test/src/main/java/org/springframework/security/test/web/support/WebTestUtils.java
index ceb644a00b..c13ebdefe3 100644
--- a/test/src/main/java/org/springframework/security/test/web/support/WebTestUtils.java
+++ b/test/src/main/java/org/springframework/security/test/web/support/WebTestUtils.java
@@ -85,6 +85,10 @@ public abstract class WebTestUtils {
 		if (filter != null) {
 			ReflectionTestUtils.setField(filter, "repo", securityContextRepository);
 		}
+		SecurityContextHolderFilter holderFilter = findFilter(request, SecurityContextHolderFilter.class);
+		if (holderFilter != null) {
+			ReflectionTestUtils.setField(holderFilter, "securityContextRepository", securityContextRepository);
+		}
 	}
 
 	/**
diff --git a/test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java b/test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java
index d8a1c6dee4..c304202b4d 100644
--- a/test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java
+++ b/test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java
@@ -24,6 +24,7 @@ import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
 
 import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.config.BeanIds;
@@ -33,6 +34,7 @@ import org.springframework.security.config.annotation.web.configuration.WebSecur
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextHolderFilter;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfFilter;
@@ -43,6 +45,7 @@ import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
 
 @ExtendWith(MockitoExtension.class)
 public class WebTestUtilsTests {
@@ -126,6 +129,19 @@ public class WebTestUtilsTests {
 		assertThat(WebTestUtils.getSecurityContextRepository(this.request)).isSameAs(this.contextRepo);
 	}
 
+	@Test
+	public void setSecurityContextRepositoryWhenSecurityContextHolderFilter() {
+		SecurityContextRepository expectedRepository = mock(SecurityContextRepository.class);
+		loadConfig(SecurityContextHolderFilterConfig.class);
+		// verify our configuration sets up to have SecurityContextHolderFilter and not
+		// SecurityContextPersistenceFilter
+		assertThat(WebTestUtils.findFilter(this.request, SecurityContextPersistenceFilter.class)).isNull();
+		assertThat(WebTestUtils.findFilter(this.request, SecurityContextHolderFilter.class)).isNotNull();
+
+		WebTestUtils.setSecurityContextRepository(this.request, expectedRepository);
+		assertThat(WebTestUtils.getSecurityContextRepository(this.request)).isSameAs(expectedRepository);
+	}
+
 	// gh-3343
 	@Test
 	public void findFilterNoMatchingFilters() {
@@ -220,4 +236,18 @@ public class WebTestUtilsTests {
 
 	}
 
+	@EnableWebSecurity
+	static class SecurityContextHolderFilterConfig {
+
+		@Bean
+		DefaultSecurityFilterChain springSecurityFilter(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.securityContext((securityContext) -> securityContext.requireExplicitSave(true));
+			// @formatter:on
+			return http.build();
+		}
+
+	}
+
 }