diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java index 5bb70d3aeb..511c93efd2 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configuration/WebMvcSecurityConfiguration.java @@ -66,6 +66,7 @@ class WebMvcSecurityConfiguration implements WebMvcConfigurer, ApplicationContex .add(new org.springframework.security.web.bind.support.AuthenticationPrincipalArgumentResolver()); CurrentSecurityContextArgumentResolver currentSecurityContextArgumentResolver = new CurrentSecurityContextArgumentResolver(); currentSecurityContextArgumentResolver.setBeanResolver(this.beanResolver); + currentSecurityContextArgumentResolver.setSecurityContextHolderStrategy(this.securityContextHolderStrategy); argumentResolvers.add(currentSecurityContextArgumentResolver); argumentResolvers.add(new CsrfTokenArgumentResolver()); } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java index fb0d0e089e..54a0a37e56 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/AbstractInterceptUrlConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2013 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -144,6 +144,7 @@ public abstract class AbstractInterceptUrlConfigurer> this.authenticationFilter = new AnonymousAuthenticationFilter(getKey(), this.principal, this.authorities); this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); } + this.authenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); this.authenticationProvider = postProcess(this.authenticationProvider); http.authenticationProvider(this.authenticationProvider); } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java index f862fd3cc6..d517d07a59 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -325,12 +325,14 @@ public final class LogoutConfigurer> * @return the {@link LogoutFilter} to use. */ private LogoutFilter createLogoutFilter(H http) { + this.contextLogoutHandler.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); this.logoutHandlers.add(this.contextLogoutHandler); this.logoutHandlers.add(postProcess(new LogoutSuccessEventPublishingLogoutHandler())); LogoutHandler[] handlers = this.logoutHandlers.toArray(new LogoutHandler[0]); LogoutFilter result = new LogoutFilter(getLogoutSuccessHandler(), handlers); result.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); result.setLogoutRequestMatcher(getLogoutRequestMatcher(http)); + result.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); result = postProcess(result); return result; } diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java index 5959d9d08e..63fc715ae8 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/ServletApiConfigurer.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -98,6 +98,7 @@ public final class ServletApiConfigurer> .getBean(grantedAuthorityDefaultsBeanNames[0], GrantedAuthorityDefaults.class); this.securityContextRequestFilter.setRolePrefix(grantedAuthorityDefaults.getRolePrefix()); } + this.securityContextRequestFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy()); } this.securityContextRequestFilter = postProcess(this.securityContextRequestFilter); http.addFilter(this.securityContextRequestFilter); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java index 1433e0ec1b..ee673b2798 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/LogoutConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -25,12 +25,14 @@ import org.springframework.beans.factory.annotation.Autowired; import org.springframework.context.annotation.Bean; import org.springframework.http.MediaType; import org.springframework.security.config.annotation.ObjectPostProcessor; +import org.springframework.security.config.annotation.SecurityContextChangedListenerConfig; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.test.SpringTestContext; import org.springframework.security.config.test.SpringTestContextExtension; +import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.logout.LogoutFilter; import org.springframework.security.web.authentication.logout.LogoutSuccessHandler; @@ -40,6 +42,7 @@ import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilde import static org.assertj.core.api.Assertions.assertThatExceptionOfType; import static org.mockito.ArgumentMatchers.any; +import static org.mockito.Mockito.atLeastOnce; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.spy; import static org.mockito.Mockito.verify; @@ -241,6 +244,22 @@ public class LogoutConfigurerTests { // @formatter:on } + @Test + public void logoutWhenCustomSecurityContextHolderStrategyThenUses() throws Exception { + this.spring.register(BasicSecurityConfig.class, SecurityContextChangedListenerConfig.class).autowire(); + // @formatter:off + MockHttpServletRequestBuilder logoutRequest = post("/logout") + .with(csrf()) + .with(user("user")) + .header(HttpHeaders.ACCEPT, MediaType.TEXT_HTML_VALUE); + this.mvc.perform(logoutRequest) + .andExpect(status().isFound()) + .andExpect(redirectedUrl("/login?logout")); + // @formatter:on + SecurityContextHolderStrategy strategy = this.spring.getContext().getBean(SecurityContextHolderStrategy.class); + verify(strategy, atLeastOnce()).getContext(); + } + // gh-3282 @Test public void logoutWhenAcceptApplicationJsonThenReturnsStatusNoContent() throws Exception {