From 3c66ef630543132281b7c8986ad73ff7cab64c96 Mon Sep 17 00:00:00 2001 From: Steve Riesenberg Date: Wed, 21 Sep 2022 11:21:19 -0500 Subject: [PATCH] Change default SecurityContextRepository Save SecurityContext in request attributes for stateless session management using RequestAttributeSecurityContextRepository. Closes gh-11026 --- .../SessionManagementConfigurer.java | 4 +- .../config/http/HttpConfigurationBuilder.java | 4 +- .../SessionManagementConfigurerTests.java | 51 ++++++++++++++++++- .../BearerTokenAuthenticationFilter.java | 4 +- .../BearerTokenAuthenticationFilterTests.java | 7 ++- ...bstractAuthenticationProcessingFilter.java | 4 +- .../authentication/AuthenticationFilter.java | 4 +- ...tractPreAuthenticatedProcessingFilter.java | 4 +- .../RememberMeAuthenticationFilter.java | 4 +- .../www/BasicAuthenticationFilter.java | 4 +- .../www/DigestAuthenticationFilter.java | 4 +- ...ctAuthenticationProcessingFilterTests.java | 9 ++++ .../AuthenticationFilterTests.java | 7 +++ ...PreAuthenticatedProcessingFilterTests.java | 3 ++ .../RememberMeAuthenticationFilterTests.java | 5 ++ .../www/BasicAuthenticationFilterTests.java | 3 ++ .../www/DigestAuthenticationFilterTests.java | 7 +++ 17 files changed, 108 insertions(+), 20 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java index b1e008694f..952136c1c6 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java @@ -47,7 +47,7 @@ import org.springframework.security.web.authentication.session.RegisterSessionAu import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; -import org.springframework.security.web.context.NullSecurityContextRepository; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.savedrequest.NullRequestCache; import org.springframework.security.web.savedrequest.RequestCache; @@ -341,7 +341,7 @@ public final class SessionManagementConfigurer> boolean stateless = isStateless(); if (securityContextRepository == null) { if (stateless) { - http.setSharedObject(SecurityContextRepository.class, new NullSecurityContextRepository()); + http.setSharedObject(SecurityContextRepository.class, new RequestAttributeSecurityContextRepository()); } else { HttpSessionSecurityContextRepository httpSecurityRepository = new HttpSessionSecurityContextRepository(); diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java index f4236e3989..c38c4c43eb 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java @@ -61,7 +61,7 @@ import org.springframework.security.web.authentication.session.ConcurrentSession import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy; import org.springframework.security.web.context.HttpSessionSecurityContextRepository; -import org.springframework.security.web.context.NullSecurityContextRepository; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextHolderFilter; import org.springframework.security.web.context.SecurityContextPersistenceFilter; import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; @@ -365,7 +365,7 @@ class HttpConfigurationBuilder { if (!StringUtils.hasText(repoRef)) { BeanDefinitionBuilder contextRepo; if (this.sessionPolicy == SessionCreationPolicy.STATELESS) { - contextRepo = BeanDefinitionBuilder.rootBeanDefinition(NullSecurityContextRepository.class); + contextRepo = BeanDefinitionBuilder.rootBeanDefinition(RequestAttributeSecurityContextRepository.class); } else { contextRepo = BeanDefinitionBuilder.rootBeanDefinition(HttpSessionSecurityContextRepository.class); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java index dbbb1fbfa0..b700c45317 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -43,6 +43,7 @@ import org.springframework.security.web.authentication.session.ChangeSessionIdAu import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy; import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.security.web.session.ConcurrentSessionFilter; @@ -340,6 +341,22 @@ public class SessionManagementConfigurerTests { this.mvc.perform(get("/")).andExpect(content().string("encoded")); } + @Test + public void loginWhenSessionCreationPolicyStatelessThenSecurityContextIsAvailableInRequestAttributes() + throws Exception { + this.spring.register(HttpBasicSessionCreationPolicyStatelessConfig.class).autowire(); + // @formatter:off + MvcResult mvcResult = this.mvc.perform(get("/").with(httpBasic("user", "password"))) + .andExpect(status().isOk()) + .andReturn(); + // @formatter:on + HttpSession session = mvcResult.getRequest().getSession(false); + assertThat(session).isNull(); + SecurityContext securityContext = (SecurityContext) mvcResult.getRequest() + .getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME); + assertThat(securityContext).isNotNull(); + } + @Configuration @EnableWebSecurity static class SessionManagementRequestCacheConfig extends WebSecurityConfigurerAdapter { @@ -659,6 +676,38 @@ public class SessionManagementConfigurerTests { } + @Configuration + @EnableWebSecurity + static class HttpBasicSessionCreationPolicyStatelessConfig extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + http + .sessionManagement((sessionManagement) -> + sessionManagement + .sessionCreationPolicy(SessionCreationPolicy.STATELESS) + ) + .httpBasic(withDefaults()); + // @formatter:on + } + + @Override + protected void configure(AuthenticationManagerBuilder auth) throws Exception { + // @formatter:off + auth + .inMemoryAuthentication() + .withUser(PasswordEncodedUser.user()); + // @formatter:on + } + + @Bean + EncodesUrls encodesUrls() { + return new EncodesUrls(); + } + + } + @RestController static class EncodesUrls { diff --git a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilter.java b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilter.java index eb18a98fd9..b0c5d21baf 100644 --- a/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilter.java +++ b/oauth2/oauth2-resource-server/src/main/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilter.java @@ -41,7 +41,7 @@ import org.springframework.security.oauth2.server.resource.web.DefaultBearerToke import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; -import org.springframework.security.web.context.NullSecurityContextRepository; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; @@ -80,7 +80,7 @@ public final class BearerTokenAuthenticationFilter extends OncePerRequestFilter private AuthenticationDetailsSource authenticationDetailsSource = new WebAuthenticationDetailsSource(); - private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); + private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository(); /** * Construct a {@code BearerTokenAuthenticationFilter} using the provided parameter(s) diff --git a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilterTests.java b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilterTests.java index 21234969e7..938cc31b03 100644 --- a/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilterTests.java +++ b/oauth2/oauth2-resource-server/src/test/java/org/springframework/security/oauth2/server/resource/web/authentication/BearerTokenAuthenticationFilterTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2021 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -44,6 +44,7 @@ import org.springframework.security.oauth2.server.resource.authentication.Bearer import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.AuthenticationFailureHandler; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import static org.assertj.core.api.Assertions.assertThat; @@ -105,6 +106,8 @@ public class BearerTokenAuthenticationFilterTests { .forClass(BearerTokenAuthenticationToken.class); verify(this.authenticationManager).authenticate(captor.capture()); assertThat(captor.getValue().getPrincipal()).isEqualTo("token"); + assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test @@ -138,6 +141,8 @@ public class BearerTokenAuthenticationFilterTests { .forClass(BearerTokenAuthenticationToken.class); verify(this.authenticationManager).authenticate(captor.capture()); assertThat(captor.getValue().getPrincipal()).isEqualTo("token"); + assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test diff --git a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java index df7d7bec51..83137284c6 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java @@ -43,7 +43,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.web.authentication.session.NullAuthenticatedSessionStrategy; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; -import org.springframework.security.web.context.NullSecurityContextRepository; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; @@ -140,7 +140,7 @@ public abstract class AbstractAuthenticationProcessingFilter extends GenericFilt private AuthenticationFailureHandler failureHandler = new SimpleUrlAuthenticationFailureHandler(); - private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); + private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository(); /** * @param defaultFilterProcessesUrl the default value for filterProcessesUrl. diff --git a/web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java index 6e683368ee..2b372f6a26 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/AuthenticationFilter.java @@ -33,7 +33,7 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; -import org.springframework.security.web.context.NullSecurityContextRepository; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.util.matcher.AnyRequestMatcher; import org.springframework.security.web.util.matcher.RequestMatcher; @@ -80,7 +80,7 @@ public class AuthenticationFilter extends OncePerRequestFilter { private AuthenticationFailureHandler failureHandler = new AuthenticationEntryPointFailureHandler( new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED)); - private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); + private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository(); private AuthenticationManagerResolver authenticationManagerResolver; diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java index 3166677c1c..8f15f70422 100755 --- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java @@ -41,7 +41,7 @@ import org.springframework.security.web.WebAttributes; import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; -import org.springframework.security.web.context.NullSecurityContextRepository; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -110,7 +110,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi private RequestMatcher requiresAuthenticationRequestMatcher = new PreAuthenticatedProcessingRequestMatcher(); - private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); + private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository(); /** * Check whether all required properties have been set. diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilter.java index 292ddb8bf6..b74f7a4445 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilter.java @@ -37,7 +37,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.RememberMeServices; -import org.springframework.security.web.context.NullSecurityContextRepository; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.util.Assert; import org.springframework.web.filter.GenericFilterBean; @@ -79,7 +79,7 @@ public class RememberMeAuthenticationFilter extends GenericFilterBean implements private RememberMeServices rememberMeServices; - private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); + private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository(); public RememberMeAuthenticationFilter(AuthenticationManager authenticationManager, RememberMeServices rememberMeServices) { diff --git a/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java index b65e723caf..432fd23494 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilter.java @@ -37,7 +37,7 @@ import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.authentication.NullRememberMeServices; import org.springframework.security.web.authentication.RememberMeServices; -import org.springframework.security.web.context.NullSecurityContextRepository; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.util.Assert; import org.springframework.web.filter.OncePerRequestFilter; @@ -109,7 +109,7 @@ public class BasicAuthenticationFilter extends OncePerRequestFilter { private BasicAuthenticationConverter authenticationConverter = new BasicAuthenticationConverter(); - private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); + private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository(); /** * Creates an instance which will authenticate against the supplied diff --git a/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java index 2fb2e50f3f..73067a88dc 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilter.java @@ -49,7 +49,7 @@ import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.UsernameNotFoundException; import org.springframework.security.core.userdetails.cache.NullUserCache; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; -import org.springframework.security.web.context.NullSecurityContextRepository; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.util.Assert; import org.springframework.util.StringUtils; @@ -111,7 +111,7 @@ public class DigestAuthenticationFilter extends GenericFilterBean implements Mes private boolean createAuthenticatedToken = false; - private SecurityContextRepository securityContextRepository = new NullSecurityContextRepository(); + private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository(); @Override public void afterPropertiesSet() { diff --git a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java index 18a6266b22..b3419794be 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilterTests.java @@ -44,6 +44,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.rememberme.AbstractRememberMeServicesTests; import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices; import org.springframework.security.web.authentication.session.SessionAuthenticationStrategy; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.firewall.DefaultHttpFirewall; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @@ -188,6 +189,8 @@ public class AbstractAuthenticationProcessingFilterTests { assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp"); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test"); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); // Should still have the same session assertThat(request.getSession()).isEqualTo(sessionPreAuth); } @@ -215,6 +218,8 @@ public class AbstractAuthenticationProcessingFilterTests { assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp"); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test"); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); // Should still have the same session assertThat(request.getSession()).isEqualTo(sessionPreAuth); } @@ -244,6 +249,8 @@ public class AbstractAuthenticationProcessingFilterTests { assertThat(response.getRedirectedUrl()).isEqualTo("/mycontext/logged_in.jsp"); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString()).isEqualTo("test"); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); // Should still have the same session assertThat(request.getSession()).isEqualTo(sessionPreAuth); } @@ -323,6 +330,8 @@ public class AbstractAuthenticationProcessingFilterTests { verify(successHandler).onAuthenticationSuccess(any(HttpServletRequest.class), any(HttpServletResponse.class), any(Authentication.class)); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test diff --git a/web/src/test/java/org/springframework/security/web/authentication/AuthenticationFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/AuthenticationFilterTests.java index be1628aae2..4af1e1309a 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/AuthenticationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/AuthenticationFilterTests.java @@ -42,6 +42,7 @@ import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextImpl; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.util.matcher.RequestMatcher; @@ -128,6 +129,8 @@ public class AuthenticationFilterTests { verify(this.authenticationManager).authenticate(any(Authentication.class)); verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class)); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test @@ -165,6 +168,8 @@ public class AuthenticationFilterTests { verify(this.authenticationManager).authenticate(any(Authentication.class)); verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class)); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test @@ -228,6 +233,8 @@ public class AuthenticationFilterTests { verify(this.successHandler).onAuthenticationSuccess(any(), any(), any(), eq(authentication)); verifyNoMoreInteractions(this.failureHandler); assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test diff --git a/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java index 4b5482db84..d594e3aba4 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java @@ -40,6 +40,7 @@ import org.springframework.security.core.userdetails.User; import org.springframework.security.web.WebAttributes; import org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler; import org.springframework.security.web.authentication.ForwardAuthenticationSuccessHandler; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @@ -211,6 +212,8 @@ public class AbstractPreAuthenticatedProcessingFilterTests { filter.doFilter(request, response, chain); verify(am).authenticate(any(PreAuthenticatedAuthenticationToken.class)); assertThat(response.getForwardedUrl()).isEqualTo("/forwardUrl"); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilterTests.java index 664e2e1849..1ce3d57139 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilterTests.java @@ -35,6 +35,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.web.authentication.NullRememberMeServices; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import static org.assertj.core.api.Assertions.assertThat; @@ -109,6 +110,8 @@ public class RememberMeAuthenticationFilterTests { filter.doFilter(request, new MockHttpServletResponse(), fc); // Ensure filter setup with our remembered authentication object assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(this.remembered); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); verify(fc).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class)); } @@ -149,6 +152,8 @@ public class RememberMeAuthenticationFilterTests { request.setRequestURI("x"); filter.doFilter(request, response, fc); assertThat(response.getRedirectedUrl()).isEqualTo("/target"); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); // Should return after success handler is invoked, so chain should not proceed verifyNoMoreInteractions(fc); } diff --git a/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java index 0315dae9f0..f901438a15 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/www/BasicAuthenticationFilterTests.java @@ -41,6 +41,7 @@ import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.test.web.CodecTestUtils; import org.springframework.security.web.authentication.WebAuthenticationDetails; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.web.util.WebUtils; @@ -342,6 +343,8 @@ public class BasicAuthenticationFilterTests { verify(chain).doFilter(any(ServletRequest.class), any(ServletResponse.class)); assertThat(SecurityContextHolder.getContext().getAuthentication().getName()).isEqualTo("rod"); assertThat(SecurityContextHolder.getContext().getAuthentication().getCredentials()).isEqualTo("äöü"); + assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test diff --git a/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java index 3e2c2e4068..cc14ce9132 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/www/DigestAuthenticationFilterTests.java @@ -41,6 +41,7 @@ import org.springframework.security.core.userdetails.UserDetails; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.core.userdetails.cache.NullUserCache; import org.springframework.security.test.web.CodecTestUtils; +import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.util.StringUtils; @@ -258,6 +259,8 @@ public class DigestAuthenticationFilterTests { assertThat(SecurityContextHolder.getContext().getAuthentication()).isNotNull(); assertThat(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername()) .isEqualTo(USERNAME); + assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test @@ -271,6 +274,8 @@ public class DigestAuthenticationFilterTests { assertThat(((UserDetails) SecurityContextHolder.getContext().getAuthentication().getPrincipal()).getUsername()) .isEqualTo(USERNAME); assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isFalse(); + assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test @@ -287,6 +292,8 @@ public class DigestAuthenticationFilterTests { assertThat(SecurityContextHolder.getContext().getAuthentication().isAuthenticated()).isTrue(); assertThat(SecurityContextHolder.getContext().getAuthentication().getAuthorities()) .isEqualTo(AuthorityUtils.createAuthorityList("ROLE_ONE", "ROLE_TWO")); + assertThat(this.request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) + .isNotNull(); } @Test