From 933b30297971ce257d7ce8f2b7d18c328b31c040 Mon Sep 17 00:00:00 2001
From: Marcus Da Coregio <marcusdacoregio@gmail.com>
Date: Wed, 12 Jul 2023 14:30:18 -0300
Subject: [PATCH] Fix once-per-request="true" not taking any effect

Closes gh-13491
---
 .../config/http/HttpConfigurationBuilder.java |  4 +--
 .../config/http/MiscHttpConfigTests.java      |  7 ++++
 ...MiscHttpConfigTests-OncePerRequestTrue.xml | 35 +++++++++++++++++++
 3 files changed, 44 insertions(+), 2 deletions(-)
 create mode 100644 config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-OncePerRequestTrue.xml

diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
index fdacf36e49..a4c55aeb8c 100644
--- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
@@ -781,8 +781,8 @@ class HttpConfigurationBuilder {
 		BeanDefinitionBuilder builder = BeanDefinitionBuilder.rootBeanDefinition(FilterSecurityInterceptor.class);
 		builder.addPropertyReference("accessDecisionManager", accessManagerId);
 		builder.addPropertyValue("authenticationManager", authManager);
-		if ("false".equals(this.httpElt.getAttribute(ATT_ONCE_PER_REQUEST))) {
-			builder.addPropertyValue("observeOncePerRequest", Boolean.FALSE);
+		if ("true".equals(this.httpElt.getAttribute(ATT_ONCE_PER_REQUEST))) {
+			builder.addPropertyValue("observeOncePerRequest", Boolean.TRUE);
 		}
 		builder.addPropertyValue("securityMetadataSource", securityMds);
 		builder.addPropertyValue("securityContextHolderStrategy", this.holderStrategyRef);
diff --git a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
index abe13893c0..955b030417 100644
--- a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
@@ -323,6 +323,13 @@ public class MiscHttpConfigTests {
 		assertThat(filterSecurityInterceptor.isObserveOncePerRequest()).isFalse();
 	}
 
+	@Test
+	public void configureWhenOncePerRequestIsTrueThenFilterSecurityInterceptorObserveOncePerRequestIsTrue() {
+		this.spring.configLocations(xml("OncePerRequestTrue")).autowire();
+		FilterSecurityInterceptor filterSecurityInterceptor = getFilter(FilterSecurityInterceptor.class);
+		assertThat(filterSecurityInterceptor.isObserveOncePerRequest()).isTrue();
+	}
+
 	@Test
 	public void requestWhenCustomHttpBasicEntryPointRefThenInvokesOnCommence() throws Exception {
 		this.spring.configLocations(xml("CustomHttpBasicEntryPointRef")).autowire();
diff --git a/config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-OncePerRequestTrue.xml b/config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-OncePerRequestTrue.xml
new file mode 100644
index 0000000000..47787c9c84
--- /dev/null
+++ b/config/src/test/resources/org/springframework/security/config/http/MiscHttpConfigTests-OncePerRequestTrue.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright 2002-2023 the original author or authors.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~      https://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<b:beans xmlns:b="http://www.springframework.org/schema/beans"
+		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+		xmlns="http://www.springframework.org/schema/security"
+		xsi:schemaLocation="
+			http://www.springframework.org/schema/security
+			https://www.springframework.org/schema/security/spring-security.xsd
+			http://www.springframework.org/schema/beans
+			https://www.springframework.org/schema/beans/spring-beans.xsd">
+
+	<http once-per-request="true" use-authorization-manager="false">
+		<http-basic/>
+		<intercept-url pattern="/protected" access="authenticated"/>
+		<intercept-url pattern="/unprotected-forwards-to-protected" access="permitAll"/>
+	</http>
+
+	<b:import resource="userservice.xml"/>
+	<b:import resource="handlermappingintrospector.xml"/>
+</b:beans>