RequestAttributeSecurityContextRepository never null SecurityContext

Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext

This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.

Closes gh-11606
This commit is contained in:
Rob Winch 2022-08-08 13:52:12 -05:00
parent ed58ac7d78
commit c23324e7a7
2 changed files with 27 additions and 4 deletions

View File

@ -66,18 +66,26 @@ public final class RequestAttributeSecurityContextRepository implements Security
@Override
public boolean containsContext(HttpServletRequest request) {
return loadContext(request).get() != null;
return getContext(request) != null;
}
@Override
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
SecurityContext context = loadContext(requestResponseHolder.getRequest()).get();
return (context != null) ? context : SecurityContextHolder.createEmptyContext();
return getContextOrEmpty(requestResponseHolder.getRequest());
}
@Override
public Supplier<SecurityContext> loadContext(HttpServletRequest request) {
return () -> (SecurityContext) request.getAttribute(this.requestAttributeName);
return () -> getContextOrEmpty(request);
}
private SecurityContext getContextOrEmpty(HttpServletRequest request) {
SecurityContext context = getContext(request);
return (context != null) ? context : SecurityContextHolder.createEmptyContext();
}
private SecurityContext getContext(HttpServletRequest request) {
return (SecurityContext) request.getAttribute(this.requestAttributeName);
}
@Override

View File

@ -16,6 +16,8 @@
package org.springframework.security.web.context;
import java.util.function.Supplier;
import org.junit.jupiter.api.Test;
import org.springframework.mock.web.MockHttpServletRequest;
@ -67,4 +69,17 @@ class RequestAttributeSecurityContextRepositoryTests {
assertThat(this.repository.containsContext(this.request)).isTrue();
}
@Test
void loadDeferredContextWhenNotPresentThenEmptyContext() {
Supplier<SecurityContext> deferredContext = this.repository.loadContext(this.request);
assertThat(deferredContext.get()).isEqualTo(SecurityContextHolder.createEmptyContext());
}
@Test
void loadContextWhenNotPresentThenEmptyContext() {
SecurityContext context = this.repository
.loadContext(new HttpRequestResponseHolder(this.request, this.response));
assertThat(context).isEqualTo(SecurityContextHolder.createEmptyContext());
}
}