Reactive Basic does not create session by default

Fixes: gh-4825
2017-11-15 09:59:51 -06:00 · 2017-11-15 09:59:51 -06:00 · 942b51dba7
parent 5f79fdd3eb
commit 942b51dba7
4 changed files with 8 additions and 9 deletions
--- a/config/src/main/java/org/springframework/security/config/web/server/SecurityWebFiltersOrder.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/SecurityWebFiltersOrder.java
@ -27,6 +27,10 @@ public enum SecurityWebFiltersOrder {
 	 * {@link org.springframework.security.web.server.csrf.CsrfWebFilter}
 	 */
 	CSRF,
+	/**
+	 * {@link org.springframework.security.web.server.context.ReactorContextWebFilter}
+	 */
+	REACTOR_CONTEXT,
 	/**
 	 * Instance of AuthenticationWebFilter
 	 */
@ -36,10 +40,6 @@ public enum SecurityWebFiltersOrder {
 	 */
 	FORM_LOGIN,
 	AUTHENTICATION,
-	/**
-	 * {@link org.springframework.security.web.server.context.ReactorContextWebFilter}
-	 */
-	REACTOR_CONTEXT,
 	LOGIN_PAGE_GENERATING,
 	LOGOUT_PAGE_GENERATING,
 	/**
--- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
+++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@ -229,9 +229,6 @@ public class ServerHttpSecurity {
 		}
 		if(this.httpBasic != null) {
 			this.httpBasic.authenticationManager(this.authenticationManager);
-			if(this.securityContextRepository != null) {
-				this.httpBasic.securityContextRepository(this.securityContextRepository);
-			}
 			this.httpBasic.configure(this);
 		}
 		if(this.formLogin != null) {
--- a/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java
+++ b/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java
@ -100,7 +100,7 @@ public class ServerHttpSecurityTests {
 			.expectBody(String.class).consumeWith(b -> assertThat(b.getResponseBody()).isEqualTo("ok"))
 			.returnResult();

-		assertThat(result.getResponseCookies().getFirst("SESSION")).isNotNull();
+		assertThat(result.getResponseCookies().getFirst("SESSION")).isNull();
 	}

 	@Test
--- a/web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java
+++ b/web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java
@ -18,6 +18,7 @@ package org.springframework.security.web.server.authentication;
 import java.util.function.Function;

 import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import reactor.core.publisher.Mono;

 import org.springframework.security.authentication.ReactiveAuthenticationManager;
@ -82,7 +83,8 @@ public class AuthenticationWebFilter implements WebFilter {
 		securityContext.setAuthentication(authentication);
 		return this.securityContextRepository.save(exchange, securityContext)
 			.then(this.authenticationSuccessHandler
-				.onAuthenticationSuccess(webFilterExchange, authentication));
+				.onAuthenticationSuccess(webFilterExchange, authentication))
+			.subscriberContext(ReactiveSecurityContextHolder.withSecurityContext(Mono.just(securityContext)));
 	}

 	public void setSecurityContextRepository(