From b316a3217be6a683ab0009d329f1bbef2e4633c9 Mon Sep 17 00:00:00 2001 From: Josh Cummings Date: Mon, 27 Jun 2022 16:58:52 -0600 Subject: [PATCH] Add SecurityContextHolderStrategy for Jaas Issue gh-11060 Issue gh-11061 --- .../config/http/HttpConfigurationBuilder.java | 3 ++- .../jaas/SecurityContextLoginModule.java | 18 ++++++++++++++++- .../jaas/SecurityContextLoginModuleTests.java | 16 +++++++++++++++ .../web/jaasapi/JaasApiIntegrationFilter.java | 20 +++++++++++++++++-- .../JaasApiIntegrationFilterTests.java | 12 +++++++++++ 5 files changed, 65 insertions(+), 4 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java index 522ebc9dde..518b16a9b4 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java @@ -610,7 +610,8 @@ class HttpConfigurationBuilder { provideJaasApi = DEF_JAAS_API_PROVISION; } if ("true".equals(provideJaasApi)) { - this.jaasApiFilter = new RootBeanDefinition(JaasApiIntegrationFilter.class); + this.jaasApiFilter = BeanDefinitionBuilder.rootBeanDefinition(JaasApiIntegrationFilter.class) + .addPropertyValue("securityContextHolderStrategy", this.holderStrategyRef).getBeanDefinition(); } } diff --git a/core/src/main/java/org/springframework/security/authentication/jaas/SecurityContextLoginModule.java b/core/src/main/java/org/springframework/security/authentication/jaas/SecurityContextLoginModule.java index 4cc8c8d402..2350f73e8f 100644 --- a/core/src/main/java/org/springframework/security/authentication/jaas/SecurityContextLoginModule.java +++ b/core/src/main/java/org/springframework/security/authentication/jaas/SecurityContextLoginModule.java @@ -28,6 +28,8 @@ import org.apache.commons.logging.LogFactory; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.context.SecurityContextHolderStrategy; +import org.springframework.util.Assert; /** * An implementation of {@link LoginModule} that uses a Spring Security @@ -55,6 +57,9 @@ public class SecurityContextLoginModule implements LoginModule { private static final Log log = LogFactory.getLog(SecurityContextLoginModule.class); + private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder + .getContextHolderStrategy(); + private Authentication authen; private Subject subject; @@ -93,6 +98,17 @@ public class SecurityContextLoginModule implements LoginModule { return true; } + /** + * Sets the {@link SecurityContextHolderStrategy} to use. The default action is to use + * the {@link SecurityContextHolderStrategy} stored in {@link SecurityContextHolder}. + * + * @since 5.8 + */ + public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) { + Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null"); + this.securityContextHolderStrategy = securityContextHolderStrategy; + } + Authentication getAuthentication() { return this.authen; } @@ -129,7 +145,7 @@ public class SecurityContextLoginModule implements LoginModule { */ @Override public boolean login() throws LoginException { - this.authen = SecurityContextHolder.getContext().getAuthentication(); + this.authen = this.securityContextHolderStrategy.getContext().getAuthentication(); if (this.authen != null) { return true; } diff --git a/core/src/test/java/org/springframework/security/authentication/jaas/SecurityContextLoginModuleTests.java b/core/src/test/java/org/springframework/security/authentication/jaas/SecurityContextLoginModuleTests.java index 293d85bd44..dad7d300ad 100644 --- a/core/src/test/java/org/springframework/security/authentication/jaas/SecurityContextLoginModuleTests.java +++ b/core/src/test/java/org/springframework/security/authentication/jaas/SecurityContextLoginModuleTests.java @@ -29,9 +29,13 @@ import org.junit.jupiter.api.Test; import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.context.SecurityContextHolderStrategy; +import org.springframework.security.core.context.SecurityContextImpl; import static org.assertj.core.api.Assertions.assertThat; import static org.assertj.core.api.Assertions.assertThatExceptionOfType; +import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.mock; /** * Tests SecurityContextLoginModule @@ -84,6 +88,18 @@ public class SecurityContextLoginModuleTests { .withFailMessage("Principals should contain the authentication").isTrue(); } + @Test + public void loginWhenCustomSecurityContextHolderStrategyThenUses() throws Exception { + SecurityContextHolderStrategy securityContextHolderStrategy = mock(SecurityContextHolderStrategy.class); + given(securityContextHolderStrategy.getContext()).willReturn(new SecurityContextImpl(this.auth)); + this.module.setSecurityContextHolderStrategy(securityContextHolderStrategy); + assertThat(this.module.login()).as("Login should succeed, there is an authentication set").isTrue(); + assertThat(this.module.commit()).withFailMessage("The authentication is not null, this should return true") + .isTrue(); + assertThat(this.subject.getPrincipals().contains(this.auth)) + .withFailMessage("Principals should contain the authentication").isTrue(); + } + @Test public void testLogout() throws Exception { SecurityContextHolder.getContext().setAuthentication(this.auth); diff --git a/web/src/main/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilter.java b/web/src/main/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilter.java index a66d1ce3c3..be8b52ebda 100644 --- a/web/src/main/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilter.java +++ b/web/src/main/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2010-2021 the original author or authors. + * Copyright 2010-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -32,6 +32,8 @@ import org.springframework.core.log.LogMessage; import org.springframework.security.authentication.jaas.JaasAuthenticationToken; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.context.SecurityContextHolderStrategy; +import org.springframework.util.Assert; import org.springframework.web.filter.GenericFilterBean; /** @@ -52,6 +54,9 @@ import org.springframework.web.filter.GenericFilterBean; */ public class JaasApiIntegrationFilter extends GenericFilterBean { + private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder + .getContextHolderStrategy(); + private boolean createEmptySubject; /** @@ -114,7 +119,7 @@ public class JaasApiIntegrationFilter extends GenericFilterBean { * available. */ protected Subject obtainSubject(ServletRequest request) { - Authentication authentication = SecurityContextHolder.getContext().getAuthentication(); + Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication(); this.logger.debug(LogMessage.format("Attempting to obtainSubject using authentication : %s", authentication)); if (authentication == null) { return null; @@ -144,4 +149,15 @@ public class JaasApiIntegrationFilter extends GenericFilterBean { this.createEmptySubject = createEmptySubject; } + /** + * Sets the {@link SecurityContextHolderStrategy} to use. The default action is to use + * the {@link SecurityContextHolderStrategy} stored in {@link SecurityContextHolder}. + * + * @since 5.8 + */ + public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) { + Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null"); + this.securityContextHolderStrategy = securityContextHolderStrategy; + } + } diff --git a/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTests.java b/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTests.java index 8813dce8cc..38acf4ef2c 100644 --- a/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTests.java @@ -48,8 +48,12 @@ import org.springframework.security.authentication.jaas.TestLoginModule; import org.springframework.security.core.Authentication; import org.springframework.security.core.authority.AuthorityUtils; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.core.context.SecurityContextHolderStrategy; +import org.springframework.security.core.context.SecurityContextImpl; import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.mock; /** * Tests the JaasApiIntegrationFilter. @@ -189,6 +193,14 @@ public class JaasApiIntegrationFilterTests { assertJaasSubjectEquals(new Subject()); } + @Test + public void doFilterUsesCustomSecurityContextHolderStrategy() throws Exception { + SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class); + given(strategy.getContext()).willReturn(new SecurityContextImpl(this.token)); + this.filter.setSecurityContextHolderStrategy(strategy); + assertJaasSubjectEquals(this.authenticatedSubject); + } + private void assertJaasSubjectEquals(final Subject expectedValue) throws Exception { MockFilterChain chain = new MockFilterChain() { @Override