Merge branch '7.0.x'

2026-05-04 06:40:28 +00:00 · 2026-04-02 10:58:06 -04:00 · 2026-04-02 10:58:06 -04:00 · 9527a4b281
commit 9527a4b281
parent 2ada3f00fa 77fe9e892a
4 changed files with 125 additions and 0 deletions
--- a/config/src/test/java/org/springframework/security/config/http/HttpHeadersConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/HttpHeadersConfigTests.java
@ -28,14 +28,17 @@ import jakarta.servlet.http.HttpSession;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;

+import org.springframework.beans.BeansException;
 import org.springframework.beans.factory.BeanCreationException;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.config.BeanPostProcessor;
 import org.springframework.beans.factory.parsing.BeanDefinitionParsingException;
 import org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.web.authentication.session.SessionLimit;
+import org.springframework.security.web.header.HeaderWriterFilter;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.ResultMatcher;
 import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder;
@ -150,6 +153,16 @@ public class HttpHeadersConfigTests {
 		// @formatter:on
 	}

+	@Test
+	public void requestWhenHeadersEagerlyConfiguredThenHeadersAreWritten() throws Exception {
+		this.spring.configLocations(this.xml("HeadersEagerlyConfigured")).autowire();
+		// @formatter:off
+		this.mvc.perform(get("/").secure(true))
+				.andExpect(status().isOk())
+				.andExpect(includesDefaults());
+		// @formatter:on
+	}
+
 	@Test
 	public void requestWhenFrameOptionsConfiguredThenIncludesHeader() throws Exception {
 		Map<String, String> headers = new HashMap<>(defaultHeaders);
@ -955,6 +968,18 @@ public class HttpHeadersConfigTests {

 	}

+	public static class EagerHeadersBeanPostProcessor implements BeanPostProcessor {
+
+		@Override
+		public Object postProcessAfterInitialization(Object bean, String beanName) throws BeansException {
+			if (bean instanceof HeaderWriterFilter headerWriterFilter) {
+				headerWriterFilter.setShouldWriteHeadersEagerly(true);
+			}
+			return bean;
+		}
+
+	}
+
 	public static class CustomSessionLimit implements SessionLimit {

 		@Override
--- a/config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HeadersEagerlyConfigured.xml
+++ b/config/src/test/resources/org/springframework/security/config/http/HttpHeadersConfigTests-HeadersEagerlyConfigured.xml
@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2004-present the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http auto-config="true">
+		<headers/>
+		<intercept-url pattern="/**" access="permitAll"/>
+	</http>
+
+	<b:bean class="org.springframework.security.config.http.HttpHeadersConfigTests.EagerHeadersBeanPostProcessor"/>
+
+	<b:bean name="simple" class="org.springframework.security.config.http.HttpHeadersConfigTests.SimpleController"/>
+
+	<b:import resource="userservice.xml"/>
+</b:beans>
--- a/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/user/DefaultOidcUser.java
+++ b/oauth2/oauth2-core/src/main/java/org/springframework/security/oauth2/core/oidc/user/DefaultOidcUser.java
@ -19,6 +19,7 @@ package org.springframework.security.oauth2.core.oidc.user;
 import java.io.Serial;
 import java.util.Collection;
 import java.util.Map;
+import java.util.Objects;

 import org.jspecify.annotations.Nullable;

@ -116,4 +117,38 @@ public class DefaultOidcUser extends DefaultOAuth2User implements OidcUser {
 		return this.userInfo;
 	}

+	@Override
+	public boolean equals(Object obj) {
+		if (this == obj) {
+			return true;
+		}
+		if (obj == null || this.getClass() != obj.getClass()) {
+			return false;
+		}
+		DefaultOidcUser that = (DefaultOidcUser) obj;
+		if (!this.getName().equals(that.getName())) {
+			return false;
+		}
+		if (!this.getAuthorities().equals(that.getAuthorities())) {
+			return false;
+		}
+		if (this.getIdToken().getIssuer() == null || that.getIdToken().getIssuer() == null) {
+			return false;
+		}
+		return Objects.equals(this.getIdToken().getIssuer().toExternalForm(),
+				that.getIdToken().getIssuer().toExternalForm())
+				&& Objects.equals(this.getIdToken().getSubject(), that.getIdToken().getSubject());
+	}
+
+	@Override
+	public int hashCode() {
+		int result = this.getName().hashCode();
+		result = 31 * result + this.getAuthorities().hashCode();
+		result = 31 * result + ((this.getIdToken().getIssuer() != null)
+				? this.getIdToken().getIssuer().toExternalForm().hashCode() : 0);
+		result = 31 * result
+				+ ((this.getIdToken().getSubject() != null) ? this.getIdToken().getSubject().hashCode() : 0);
+		return result;
+	}
+
 }
--- a/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/oidc/user/DefaultOidcUserTests.java
+++ b/oauth2/oauth2-core/src/test/java/org/springframework/security/oauth2/core/oidc/user/DefaultOidcUserTests.java
@ -17,6 +17,7 @@
 package org.springframework.security.oauth2.core.oidc.user;

 import java.time.Instant;
+import java.time.temporal.ChronoUnit;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.Map;
@ -147,4 +148,31 @@ public class DefaultOidcUserTests {
 				StandardClaimNames.NAME, StandardClaimNames.EMAIL);
 	}

+	// gh-18622
+	@Test
+	public void equalsWhenOidcUserPrincipalSameThenTrue() {
+		String issuer = "https://example.com";
+		String subject = "subject-1";
+
+		// @formatter:off
+		OidcIdToken idToken1 = OidcIdToken.withTokenValue("id-token-value-1")
+				.issuer(issuer)
+				.subject(subject)
+				.issuedAt(Instant.now())
+				.expiresAt(Instant.now().plus(30, ChronoUnit.MINUTES))
+				.build();
+
+		OidcIdToken idToken2 = OidcIdToken.withTokenValue("id-token-value-2")
+				.issuer(issuer)
+				.subject(subject)
+				.issuedAt(Instant.now())
+				.expiresAt(Instant.now().plus(30, ChronoUnit.MINUTES))
+				.build();
+		// @formatter:on
+
+		DefaultOidcUser user1 = new DefaultOidcUser(AUTHORITIES, idToken1, USER_INFO);
+		DefaultOidcUser user2 = new DefaultOidcUser(AUTHORITIES, idToken2, USER_INFO);
+		assertThat(user1).isEqualTo(user2);
+	}
+
 }