diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java index e90832fb44..85399d7af8 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java @@ -20,6 +20,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; +import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.SecurityContextPersistenceFilter; import org.springframework.security.web.context.SecurityContextRepository; @@ -85,6 +86,9 @@ public final class SecurityContextConfigurer> e SecurityContextRepository securityContextRepository = http .getSharedObject(SecurityContextRepository.class); + if(securityContextRepository == null) { + securityContextRepository = new HttpSessionSecurityContextRepository(); + } SecurityContextPersistenceFilter securityContextFilter = new SecurityContextPersistenceFilter( securityContextRepository); SessionManagementConfigurer sessionManagement = http diff --git a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.groovy b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.groovy index ac509e5235..476df3c11f 100644 --- a/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.groovy +++ b/config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.groovy @@ -24,6 +24,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter import org.springframework.security.web.context.SecurityContextPersistenceFilter import org.springframework.security.web.context.SecurityContextRepository +import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter /** * @@ -67,4 +68,44 @@ class SecurityContextConfigurerTests extends BaseSpringSpec { .securityContext() } } + + def 'SEC-2932: SecurityContextConfigurer defaults SecurityContextRepository'() { + setup: 'Configuration without default SecurityContextRepository setup' + loadConfig(SecurityContextRepositoryDefaultsSecurityContextRepositoryConfig) + when: 'Spring Security invoked' + springSecurityFilterChain.doFilter(request,response,chain) + then: 'no exception thrown' + noExceptionThrown() + } + + @Configuration + @EnableWebSecurity + static class SecurityContextRepositoryDefaultsSecurityContextRepositoryConfig extends WebSecurityConfigurerAdapter { + public SecurityContextRepositoryDefaultsSecurityContextRepositoryConfig() { + super(true); + } + + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .addFilter(new WebAsyncManagerIntegrationFilter()) + .anonymous().and() + .securityContext().and() + .authorizeRequests() + .anyRequest().permitAll() + .and() + .httpBasic(); + // @formatter:on + } + + // @formatter:off + @Override + protected void configure(AuthenticationManagerBuilder auth) { + auth + .inMemoryAuthentication() + .withUser("user").password("password").roles("USER") + } + // @formatter:on + } }