diff --git a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java index e9a845f916..ecd3e6aad4 100644 --- a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java @@ -75,6 +75,7 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.context.DeferredSecurityContext; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -490,7 +491,8 @@ public class MiscHttpConfigTests { this.spring.configLocations(xml("ExplicitSaveAndExplicitRepository")).autowire(); SecurityContextRepository repository = this.spring.getContext().getBean(SecurityContextRepository.class); SecurityContext context = new SecurityContextImpl(new TestingAuthenticationToken("user", "password")); - given(repository.loadContext(any(HttpServletRequest.class))).willReturn(() -> context); + given(repository.loadDeferredContext(any(HttpServletRequest.class))) + .willReturn(new TestDeferredSecurityContext(context, false)); // @formatter:off MvcResult result = this.mvc.perform(formLogin()) .andExpect(status().is3xxRedirection()) @@ -1044,4 +1046,27 @@ public class MiscHttpConfigTests { } + static class TestDeferredSecurityContext implements DeferredSecurityContext { + + private SecurityContext securityContext; + + private boolean isGenerated; + + TestDeferredSecurityContext(SecurityContext securityContext, boolean isGenerated) { + this.securityContext = securityContext; + this.isGenerated = isGenerated; + } + + @Override + public SecurityContext get() { + return this.securityContext; + } + + @Override + public boolean isGenerated() { + return this.isGenerated; + } + + } + } diff --git a/core/src/main/java/org/springframework/security/core/context/DeferredSecurityContext.java b/core/src/main/java/org/springframework/security/core/context/DeferredSecurityContext.java new file mode 100644 index 0000000000..7dd22cc36c --- /dev/null +++ b/core/src/main/java/org/springframework/security/core/context/DeferredSecurityContext.java @@ -0,0 +1,38 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.core.context; + +import java.util.function.Supplier; + +/** + * An interface that allows delayed access to a {@link SecurityContext} that may be + * generated. + * + * @author Steve Riesenberg + * @since 5.8 + */ +public interface DeferredSecurityContext extends Supplier { + + /** + * Returns true if {@link #get()} refers to a generated {@link SecurityContext} or + * false if it already existed. + * @return true if {@link #get()} refers to a generated {@link SecurityContext} or + * false if it already existed + */ + boolean isGenerated(); + +} diff --git a/web/src/main/java/org/springframework/security/web/context/HttpRequestResponseHolder.java b/web/src/main/java/org/springframework/security/web/context/HttpRequestResponseHolder.java index 59376c1faf..6b322c4319 100644 --- a/web/src/main/java/org/springframework/security/web/context/HttpRequestResponseHolder.java +++ b/web/src/main/java/org/springframework/security/web/context/HttpRequestResponseHolder.java @@ -27,7 +27,8 @@ import javax.servlet.http.HttpServletResponse; * * @author Luke Taylor * @since 3.0 - * @deprecated Use {@link SecurityContextRepository#loadContext(HttpServletRequest)} + * @deprecated Use + * {@link SecurityContextRepository#loadDeferredContext(HttpServletRequest)} */ @Deprecated public final class HttpRequestResponseHolder { diff --git a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java index 100c11bb53..3c02d86767 100644 --- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java +++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java @@ -16,6 +16,8 @@ package org.springframework.security.web.context; +import java.util.function.Supplier; + import javax.servlet.AsyncContext; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; @@ -33,6 +35,7 @@ import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.core.Authentication; import org.springframework.security.core.Transient; +import org.springframework.security.core.context.DeferredSecurityContext; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -136,6 +139,12 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo return context; } + @Override + public DeferredSecurityContext loadDeferredContext(HttpServletRequest request) { + Supplier supplier = () -> readSecurityContextFromSession(request.getSession(false)); + return new SupplierDeferredSecurityContext(supplier, this.securityContextHolderStrategy); + } + @Override public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) { SaveContextOnUpdateOrErrorResponseWrapper responseWrapper = WebUtils.getNativeResponse(response, diff --git a/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java index 2b99901a54..f790434754 100644 --- a/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java +++ b/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java @@ -21,6 +21,7 @@ import java.util.function.Supplier; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.springframework.security.core.context.DeferredSecurityContext; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -76,17 +77,13 @@ public final class RequestAttributeSecurityContextRepository implements Security @Override public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) { - return getContextOrEmpty(requestResponseHolder.getRequest()); + return loadDeferredContext(requestResponseHolder.getRequest()).get(); } @Override - public Supplier loadContext(HttpServletRequest request) { - return () -> getContextOrEmpty(request); - } - - private SecurityContext getContextOrEmpty(HttpServletRequest request) { - SecurityContext context = getContext(request); - return (context != null) ? context : this.securityContextHolderStrategy.createEmptyContext(); + public DeferredSecurityContext loadDeferredContext(HttpServletRequest request) { + Supplier supplier = () -> getContext(request); + return new SupplierDeferredSecurityContext(supplier, this.securityContextHolderStrategy); } private SecurityContext getContext(HttpServletRequest request) { diff --git a/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java b/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java index 16bcbe0917..9831730fd3 100644 --- a/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java +++ b/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java @@ -42,8 +42,8 @@ import org.springframework.util.Assert; * @author Marten Algesten * @author Rob Winch * @since 3.0 - * @deprecated Use {@link SecurityContextRepository#loadContext(HttpServletRequest)} - * instead. + * @deprecated Use + * {@link SecurityContextRepository#loadDeferredContext(HttpServletRequest)} instead. */ @Deprecated public abstract class SaveContextOnUpdateOrErrorResponseWrapper extends OnCommittedResponseWrapper { diff --git a/web/src/main/java/org/springframework/security/web/context/SecurityContextHolderFilter.java b/web/src/main/java/org/springframework/security/web/context/SecurityContextHolderFilter.java index 45ecdad2e3..198bfb59b0 100644 --- a/web/src/main/java/org/springframework/security/web/context/SecurityContextHolderFilter.java +++ b/web/src/main/java/org/springframework/security/web/context/SecurityContextHolderFilter.java @@ -63,7 +63,7 @@ public class SecurityContextHolderFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - Supplier deferredContext = this.securityContextRepository.loadContext(request); + Supplier deferredContext = this.securityContextRepository.loadDeferredContext(request); try { this.securityContextHolderStrategy.setDeferredContext(deferredContext); filterChain.doFilter(request, response); diff --git a/web/src/main/java/org/springframework/security/web/context/SecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/SecurityContextRepository.java index b9034e36c4..d867d46786 100644 --- a/web/src/main/java/org/springframework/security/web/context/SecurityContextRepository.java +++ b/web/src/main/java/org/springframework/security/web/context/SecurityContextRepository.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,7 +21,9 @@ import java.util.function.Supplier; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import org.springframework.security.core.context.DeferredSecurityContext; import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.util.function.SingletonSupplier; /** @@ -61,7 +63,7 @@ public interface SecurityContextRepository { * the context should be loaded. * @return The security context which should be used for the current request, never * null. - * @deprecated Use {@link #loadContext(HttpServletRequest)} instead. + * @deprecated Use {@link #loadDeferredContext(HttpServletRequest)} instead. */ @Deprecated SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder); @@ -75,9 +77,27 @@ public interface SecurityContextRepository { * @return a {@link Supplier} that returns the {@link SecurityContext} which cannot be * null. * @since 5.7 + * @deprecated Use + * {@link SecurityContextRepository#loadDeferredContext(HttpServletRequest)} instead */ + @Deprecated default Supplier loadContext(HttpServletRequest request) { - return SingletonSupplier.of(() -> loadContext(new HttpRequestResponseHolder(request, null))); + return loadDeferredContext(request); + } + + /** + * Defers loading the {@link SecurityContext} using the {@link HttpServletRequest} + * until it is needed by the application. + * @param request the {@link HttpServletRequest} to load the {@link SecurityContext} + * from + * @return a {@link DeferredSecurityContext} that returns the {@link SecurityContext} + * which cannot be null + * @since 5.8 + */ + default DeferredSecurityContext loadDeferredContext(HttpServletRequest request) { + Supplier supplier = () -> loadContext(new HttpRequestResponseHolder(request, null)); + return new SupplierDeferredSecurityContext(SingletonSupplier.of(supplier), + SecurityContextHolder.getContextHolderStrategy()); } /** diff --git a/web/src/main/java/org/springframework/security/web/context/SupplierDeferredSecurityContext.java b/web/src/main/java/org/springframework/security/web/context/SupplierDeferredSecurityContext.java new file mode 100644 index 0000000000..a65ed6ef0c --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/context/SupplierDeferredSecurityContext.java @@ -0,0 +1,77 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.context; + +import java.util.function.Supplier; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import org.springframework.core.log.LogMessage; +import org.springframework.security.core.context.DeferredSecurityContext; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextHolderStrategy; + +/** + * @author Steve Riesenberg + * @since 5.8 + */ +final class SupplierDeferredSecurityContext implements DeferredSecurityContext { + + private static final Log logger = LogFactory.getLog(SupplierDeferredSecurityContext.class); + + private final Supplier supplier; + + private final SecurityContextHolderStrategy strategy; + + private SecurityContext securityContext; + + private boolean missingContext; + + SupplierDeferredSecurityContext(Supplier supplier, SecurityContextHolderStrategy strategy) { + this.supplier = supplier; + this.strategy = strategy; + } + + @Override + public SecurityContext get() { + init(); + return this.securityContext; + } + + @Override + public boolean isGenerated() { + init(); + return this.missingContext; + } + + private void init() { + if (this.securityContext != null) { + return; + } + + this.securityContext = this.supplier.get(); + this.missingContext = (this.securityContext == null); + if (this.missingContext) { + this.securityContext = this.strategy.createEmptyContext(); + if (logger.isTraceEnabled()) { + logger.trace(LogMessage.format("Created %s", this.securityContext)); + } + } + } + +} diff --git a/web/src/test/java/org/springframework/security/web/context/SecurityContextHolderFilterTests.java b/web/src/test/java/org/springframework/security/web/context/SecurityContextHolderFilterTests.java index 4983eb3166..6b70ad00e0 100644 --- a/web/src/test/java/org/springframework/security/web/context/SecurityContextHolderFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/context/SecurityContextHolderFilterTests.java @@ -76,7 +76,8 @@ class SecurityContextHolderFilterTests { void doFilterThenSetsAndClearsSecurityContextHolder() throws Exception { Authentication authentication = TestAuthentication.authenticatedUser(); SecurityContext expectedContext = new SecurityContextImpl(authentication); - given(this.repository.loadContext(this.requestArg.capture())).willReturn(() -> expectedContext); + given(this.repository.loadDeferredContext(this.requestArg.capture())) + .willReturn(new SupplierDeferredSecurityContext(() -> expectedContext, this.strategy)); FilterChain filterChain = (request, response) -> assertThat(SecurityContextHolder.getContext()) .isEqualTo(expectedContext); @@ -89,7 +90,8 @@ class SecurityContextHolderFilterTests { void doFilterThenSetsAndClearsSecurityContextHolderStrategy() throws Exception { Authentication authentication = TestAuthentication.authenticatedUser(); SecurityContext expectedContext = new SecurityContextImpl(authentication); - given(this.repository.loadContext(this.requestArg.capture())).willReturn(() -> expectedContext); + given(this.repository.loadDeferredContext(this.requestArg.capture())) + .willReturn(new SupplierDeferredSecurityContext(() -> expectedContext, this.strategy)); FilterChain filterChain = (request, response) -> { }; diff --git a/web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java b/web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java index b28d61c889..e0027c6440 100644 --- a/web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java +++ b/web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java @@ -16,13 +16,11 @@ package org.springframework.security.web.context; -import java.util.function.Supplier; - import javax.servlet.http.HttpServletRequest; import org.junit.jupiter.api.Test; -import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.DeferredSecurityContext; import org.springframework.security.core.context.SecurityContextImpl; import static org.mockito.ArgumentMatchers.any; @@ -42,8 +40,8 @@ class SecurityContextRepositoryTests { @Test void loadContextHttpRequestResponseHolderWhenInvokeSupplierTwiceThenOnlyInvokesLoadContextOnce() { given(this.repository.loadContext(any(HttpRequestResponseHolder.class))).willReturn(new SecurityContextImpl()); - Supplier deferredContext = this.repository.loadContext(mock(HttpServletRequest.class)); - verify(this.repository).loadContext(any(HttpServletRequest.class)); + DeferredSecurityContext deferredContext = this.repository.loadDeferredContext(mock(HttpServletRequest.class)); + verify(this.repository).loadDeferredContext(any(HttpServletRequest.class)); deferredContext.get(); verify(this.repository).loadContext(any(HttpRequestResponseHolder.class)); deferredContext.get();