SEC-1167: Added setRequestCache to SavedRequestAwareAuthenticationSuccessHandler and updated namespace parsing to set PortResolver on created HttpRequestCache.

config/src/main/java/org/springframework/security/config/BeanIds.java

@@ -29,7 +29,6 @@ public abstract class BeanIds {
     public static final String FILTER_CHAIN_PROXY = "_filterChainProxy";
     public static final String LDAP_AUTHENTICATION_PROVIDER = "_ldapAuthenticationProvider";
 
-    public static final String SESSION_FIXATION_PROTECTION_FILTER = "_sessionFixationProtectionFilter";
     public static final String METHOD_SECURITY_METADATA_SOURCE_ADVISOR = "_methodSecurityMetadataSourceAdvisor";
     public static final String EMBEDDED_APACHE_DS = "_apacheDirectoryServerContainer";
     public static final String CONTEXT_SOURCE = "_securityContextSource";

config/src/main/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParser.java

@@ -41,6 +41,7 @@ import org.springframework.security.config.BeanIds;
 import org.springframework.security.config.Elements;
 import org.springframework.security.core.userdetails.UserDetailsByNameServiceWrapper;
 import org.springframework.security.web.FilterChainProxy;
+import org.springframework.security.web.PortResolverImpl;
 import org.springframework.security.web.access.AccessDeniedHandlerImpl;
 import org.springframework.security.web.access.ExceptionTranslationFilter;
 import org.springframework.security.web.access.channel.ChannelDecisionManagerImpl;
@@ -204,9 +205,10 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
         // Register the portMapper. A default will always be created, even if no element exists.
         BeanDefinition portMapper = new PortMappingsBeanDefinitionParser().parse(
                 DomUtils.getChildElementByTagName(element, Elements.PORT_MAPPINGS), pc);
+        String portMapperName = pc.getReaderContext().registerWithGeneratedName(portMapper);
         RootBeanDefinition rememberMeFilter = createRememberMeFilter(element, pc, authenticationManager);
         BeanDefinition anonFilter = createAnonymousFilter(element, pc);
-        BeanReference requestCache = createRequestCache(element, pc, allowSessionCreation);
+        BeanReference requestCache = createRequestCache(element, pc, allowSessionCreation, portMapperName);
         BeanDefinition requestCacheAwareFilter = new RootBeanDefinition(RequestCacheAwareFilter.class);
         requestCacheAwareFilter.getPropertyValues().addPropertyValue("requestCache", requestCache);
 
@@ -215,16 +217,15 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
                 sessionRegistryRef);
         BeanDefinition fsi = createFilterSecurityInterceptor(element, pc, matcher, convertPathsToLowerCase, authenticationManager);
 
-        String portMapperName = pc.getReaderContext().registerWithGeneratedName(portMapper);
         if (channelRequestMap.size() > 0) {
             // At least one channel requirement has been specified
             cpf = createChannelProcessingFilter(pc, matcher, channelRequestMap, portMapperName);
         }
 
-        if (sfpf != null) {
-            // Used by SessionRegistryinjectionPP
-            pc.getRegistry().registerBeanDefinition(BeanIds.SESSION_FIXATION_PROTECTION_FILTER, sfpf);
-        }
+//        if (sfpf != null) {
+//            // Used by SessionRegistryinjectionPP
+//            pc.getRegistry().registerBeanDefinition(BeanIds.SESSION_FIXATION_PROTECTION_FILTER, sfpf);
+//        }
 
         final FilterAndEntryPoint basic = createBasicFilter(element, pc, autoConfig, authenticationManager);
         final FilterAndEntryPoint form = createFormLoginFilter(element, pc, autoConfig, allowSessionCreation,
@@ -758,9 +759,13 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
         return new RuntimeBeanReference(id);
     }
 
-    private BeanReference createRequestCache(Element element, ParserContext pc, boolean allowSessionCreation) {
+    private BeanReference createRequestCache(Element element, ParserContext pc, boolean allowSessionCreation,
+            String portMapperName) {
         BeanDefinitionBuilder requestCache = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionRequestCache.class);
+        BeanDefinitionBuilder portResolver = BeanDefinitionBuilder.rootBeanDefinition(PortResolverImpl.class);
+        portResolver.addPropertyReference("portMapper", portMapperName);
         requestCache.addPropertyValue("createSessionAllowed", Boolean.valueOf(allowSessionCreation));
+        requestCache.addPropertyValue("portResolver", portResolver.getBeanDefinition());
 
         BeanDefinition bean = requestCache.getBeanDefinition();
         String id = pc.getReaderContext().registerWithGeneratedName(bean);
@@ -775,7 +780,6 @@ public class HttpSecurityBeanDefinitionParser implements BeanDefinitionParser {
             = BeanDefinitionBuilder.rootBeanDefinition(ExceptionTranslationFilter.class);
         exceptionTranslationFilterBuilder.addPropertyValue("accessDeniedHandler", createAccessDeniedHandler(element, pc));
 
-
         return exceptionTranslationFilterBuilder.getBeanDefinition();
     }
 

web/src/main/java/org/springframework/security/web/authentication/SavedRequestAwareAuthenticationSuccessHandler.java

@@ -79,22 +79,7 @@ public class SavedRequestAwareAuthenticationSuccessHandler extends SimpleUrlAuth
         RedirectUtils.sendRedirect(request, response, targetUrl, isUseRelativeContext());
     }
 
-//    private SavedRequest getSavedRequest(HttpServletRequest request) {
-//        HttpSession session = request.getSession(false);
-//
-//        if (session != null) {
-//            return (SavedRequest) session.getAttribute(SavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY);
-//        }
-//
-//        return null;
-//    }
-//
-//    private void removeSavedRequest(HttpServletRequest request) {
-//        HttpSession session = request.getSession(false);
-//
-//        if (session != null) {
-//            logger.debug("Removing SavedRequest from session if present");
-//            session.removeAttribute(SavedRequest.SPRING_SECURITY_SAVED_REQUEST_KEY);
-//        }
-//    }
+    public void setRequestCache(RequestCache requestCache) {
+        this.requestCache = requestCache;
+    }
 }