diff --git a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java index 7d87147e3d..b1981ad820 100644 --- a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java @@ -75,6 +75,7 @@ import org.springframework.security.core.AuthenticationException; import org.springframework.security.core.GrantedAuthority; import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.security.core.authority.AuthorityUtils; +import org.springframework.security.core.context.DeferredSecurityContext; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -487,7 +488,8 @@ public class MiscHttpConfigTests { this.spring.configLocations(xml("ExplicitSaveAndExplicitRepository")).autowire(); SecurityContextRepository repository = this.spring.getContext().getBean(SecurityContextRepository.class); SecurityContext context = new SecurityContextImpl(new TestingAuthenticationToken("user", "password")); - given(repository.loadContext(any(HttpServletRequest.class))).willReturn(() -> context); + given(repository.loadDeferredContext(any(HttpServletRequest.class))) + .willReturn(new TestDeferredSecurityContext(context, false)); // @formatter:off MvcResult result = this.mvc.perform(formLogin()) .andExpect(status().is3xxRedirection()) @@ -1037,4 +1039,27 @@ public class MiscHttpConfigTests { } + static class TestDeferredSecurityContext implements DeferredSecurityContext { + + private SecurityContext securityContext; + + private boolean isGenerated; + + TestDeferredSecurityContext(SecurityContext securityContext, boolean isGenerated) { + this.securityContext = securityContext; + this.isGenerated = isGenerated; + } + + @Override + public SecurityContext get() { + return this.securityContext; + } + + @Override + public boolean isGenerated() { + return this.isGenerated; + } + + } + } diff --git a/core/src/main/java/org/springframework/security/core/context/DeferredSecurityContext.java b/core/src/main/java/org/springframework/security/core/context/DeferredSecurityContext.java new file mode 100644 index 0000000000..7dd22cc36c --- /dev/null +++ b/core/src/main/java/org/springframework/security/core/context/DeferredSecurityContext.java @@ -0,0 +1,38 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.core.context; + +import java.util.function.Supplier; + +/** + * An interface that allows delayed access to a {@link SecurityContext} that may be + * generated. + * + * @author Steve Riesenberg + * @since 5.8 + */ +public interface DeferredSecurityContext extends Supplier { + + /** + * Returns true if {@link #get()} refers to a generated {@link SecurityContext} or + * false if it already existed. + * @return true if {@link #get()} refers to a generated {@link SecurityContext} or + * false if it already existed + */ + boolean isGenerated(); + +} diff --git a/web/src/main/java/org/springframework/security/web/context/DelegatingSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/DelegatingSecurityContextRepository.java new file mode 100644 index 0000000000..9761eeb81f --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/context/DelegatingSecurityContextRepository.java @@ -0,0 +1,111 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.context; + +import java.util.Arrays; +import java.util.List; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; + +import org.springframework.security.core.context.DeferredSecurityContext; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.util.Assert; + +/** + * @author Steve Riesenberg + * @author Josh Cummings + * @since 5.8 + */ +public final class DelegatingSecurityContextRepository implements SecurityContextRepository { + + private final List delegates; + + public DelegatingSecurityContextRepository(SecurityContextRepository... delegates) { + this(Arrays.asList(delegates)); + } + + public DelegatingSecurityContextRepository(List delegates) { + Assert.notEmpty(delegates, "delegates cannot be empty"); + this.delegates = delegates; + } + + @Override + public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) { + return loadContext(requestResponseHolder.getRequest()).get(); + } + + @Override + public DeferredSecurityContext loadDeferredContext(HttpServletRequest request) { + DeferredSecurityContext deferredSecurityContext = null; + for (SecurityContextRepository delegate : this.delegates) { + if (deferredSecurityContext == null) { + deferredSecurityContext = delegate.loadDeferredContext(request); + } + else { + DeferredSecurityContext next = delegate.loadDeferredContext(request); + deferredSecurityContext = new DelegatingDeferredSecurityContext(deferredSecurityContext, next); + } + } + return deferredSecurityContext; + } + + @Override + public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) { + for (SecurityContextRepository delegate : this.delegates) { + delegate.saveContext(context, request, response); + } + } + + @Override + public boolean containsContext(HttpServletRequest request) { + for (SecurityContextRepository delegate : this.delegates) { + if (delegate.containsContext(request)) { + return true; + } + } + return false; + } + + static final class DelegatingDeferredSecurityContext implements DeferredSecurityContext { + + private final DeferredSecurityContext previous; + + private final DeferredSecurityContext next; + + DelegatingDeferredSecurityContext(DeferredSecurityContext previous, DeferredSecurityContext next) { + this.previous = previous; + this.next = next; + } + + @Override + public SecurityContext get() { + SecurityContext securityContext = this.previous.get(); + if (!this.previous.isGenerated()) { + return securityContext; + } + return this.next.get(); + } + + @Override + public boolean isGenerated() { + return this.previous.isGenerated() && this.next.isGenerated(); + } + + } + +} diff --git a/web/src/main/java/org/springframework/security/web/context/HttpRequestResponseHolder.java b/web/src/main/java/org/springframework/security/web/context/HttpRequestResponseHolder.java index ee8d6ee70c..389d333c82 100644 --- a/web/src/main/java/org/springframework/security/web/context/HttpRequestResponseHolder.java +++ b/web/src/main/java/org/springframework/security/web/context/HttpRequestResponseHolder.java @@ -27,7 +27,8 @@ import jakarta.servlet.http.HttpServletResponse; * * @author Luke Taylor * @since 3.0 - * @deprecated Use {@link SecurityContextRepository#loadContext(HttpServletRequest)} + * @deprecated Use + * {@link SecurityContextRepository#loadDeferredContext(HttpServletRequest)} */ @Deprecated public final class HttpRequestResponseHolder { diff --git a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java index 09801d9e9f..b674d8afb8 100644 --- a/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java +++ b/web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java @@ -16,6 +16,8 @@ package org.springframework.security.web.context; +import java.util.function.Supplier; + import jakarta.servlet.AsyncContext; import jakarta.servlet.ServletRequest; import jakarta.servlet.ServletResponse; @@ -32,6 +34,7 @@ import org.springframework.security.authentication.AuthenticationTrustResolver; import org.springframework.security.authentication.AuthenticationTrustResolverImpl; import org.springframework.security.core.Authentication; import org.springframework.security.core.Transient; +import org.springframework.security.core.context.DeferredSecurityContext; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -135,6 +138,12 @@ public class HttpSessionSecurityContextRepository implements SecurityContextRepo return context; } + @Override + public DeferredSecurityContext loadDeferredContext(HttpServletRequest request) { + Supplier supplier = () -> readSecurityContextFromSession(request.getSession(false)); + return new SupplierDeferredSecurityContext(supplier, this.securityContextHolderStrategy); + } + @Override public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) { SaveContextOnUpdateOrErrorResponseWrapper responseWrapper = WebUtils.getNativeResponse(response, diff --git a/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java index 1e27e0afa7..5076284d28 100644 --- a/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java +++ b/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java @@ -21,6 +21,7 @@ import java.util.function.Supplier; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import org.springframework.security.core.context.DeferredSecurityContext; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.security.core.context.SecurityContextHolderStrategy; @@ -76,17 +77,13 @@ public final class RequestAttributeSecurityContextRepository implements Security @Override public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) { - return getContextOrEmpty(requestResponseHolder.getRequest()); + return loadDeferredContext(requestResponseHolder.getRequest()).get(); } @Override - public Supplier loadContext(HttpServletRequest request) { - return () -> getContextOrEmpty(request); - } - - private SecurityContext getContextOrEmpty(HttpServletRequest request) { - SecurityContext context = getContext(request); - return (context != null) ? context : this.securityContextHolderStrategy.createEmptyContext(); + public DeferredSecurityContext loadDeferredContext(HttpServletRequest request) { + Supplier supplier = () -> getContext(request); + return new SupplierDeferredSecurityContext(supplier, this.securityContextHolderStrategy); } private SecurityContext getContext(HttpServletRequest request) { diff --git a/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java b/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java index 214ea694f4..58711f9893 100644 --- a/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java +++ b/web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java @@ -42,8 +42,8 @@ import org.springframework.util.Assert; * @author Marten Algesten * @author Rob Winch * @since 3.0 - * @deprecated Use {@link SecurityContextRepository#loadContext(HttpServletRequest)} - * instead. + * @deprecated Use + * {@link SecurityContextRepository#loadDeferredContext(HttpServletRequest)} instead. */ @Deprecated public abstract class SaveContextOnUpdateOrErrorResponseWrapper extends OnCommittedResponseWrapper { diff --git a/web/src/main/java/org/springframework/security/web/context/SecurityContextHolderFilter.java b/web/src/main/java/org/springframework/security/web/context/SecurityContextHolderFilter.java index 25e94644c8..ec704c22c6 100644 --- a/web/src/main/java/org/springframework/security/web/context/SecurityContextHolderFilter.java +++ b/web/src/main/java/org/springframework/security/web/context/SecurityContextHolderFilter.java @@ -63,7 +63,7 @@ public class SecurityContextHolderFilter extends OncePerRequestFilter { @Override protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException { - Supplier deferredContext = this.securityContextRepository.loadContext(request); + Supplier deferredContext = this.securityContextRepository.loadDeferredContext(request); try { this.securityContextHolderStrategy.setDeferredContext(deferredContext); filterChain.doFilter(request, response); diff --git a/web/src/main/java/org/springframework/security/web/context/SecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/SecurityContextRepository.java index f459dc420f..7a8497e8ed 100644 --- a/web/src/main/java/org/springframework/security/web/context/SecurityContextRepository.java +++ b/web/src/main/java/org/springframework/security/web/context/SecurityContextRepository.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2016 the original author or authors. + * Copyright 2002-2022 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -21,7 +21,9 @@ import java.util.function.Supplier; import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpServletResponse; +import org.springframework.security.core.context.DeferredSecurityContext; import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.util.function.SingletonSupplier; /** @@ -61,7 +63,7 @@ public interface SecurityContextRepository { * the context should be loaded. * @return The security context which should be used for the current request, never * null. - * @deprecated Use {@link #loadContext(HttpServletRequest)} instead. + * @deprecated Use {@link #loadDeferredContext(HttpServletRequest)} instead. */ @Deprecated SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder); @@ -75,9 +77,27 @@ public interface SecurityContextRepository { * @return a {@link Supplier} that returns the {@link SecurityContext} which cannot be * null. * @since 5.7 + * @deprecated Use + * {@link SecurityContextRepository#loadDeferredContext(HttpServletRequest)} instead */ + @Deprecated default Supplier loadContext(HttpServletRequest request) { - return SingletonSupplier.of(() -> loadContext(new HttpRequestResponseHolder(request, null))); + return loadDeferredContext(request); + } + + /** + * Defers loading the {@link SecurityContext} using the {@link HttpServletRequest} + * until it is needed by the application. + * @param request the {@link HttpServletRequest} to load the {@link SecurityContext} + * from + * @return a {@link DeferredSecurityContext} that returns the {@link SecurityContext} + * which cannot be null + * @since 5.8 + */ + default DeferredSecurityContext loadDeferredContext(HttpServletRequest request) { + Supplier supplier = () -> loadContext(new HttpRequestResponseHolder(request, null)); + return new SupplierDeferredSecurityContext(SingletonSupplier.of(supplier), + SecurityContextHolder.getContextHolderStrategy()); } /** diff --git a/web/src/main/java/org/springframework/security/web/context/SupplierDeferredSecurityContext.java b/web/src/main/java/org/springframework/security/web/context/SupplierDeferredSecurityContext.java new file mode 100644 index 0000000000..a65ed6ef0c --- /dev/null +++ b/web/src/main/java/org/springframework/security/web/context/SupplierDeferredSecurityContext.java @@ -0,0 +1,77 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.context; + +import java.util.function.Supplier; + +import org.apache.commons.logging.Log; +import org.apache.commons.logging.LogFactory; + +import org.springframework.core.log.LogMessage; +import org.springframework.security.core.context.DeferredSecurityContext; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextHolderStrategy; + +/** + * @author Steve Riesenberg + * @since 5.8 + */ +final class SupplierDeferredSecurityContext implements DeferredSecurityContext { + + private static final Log logger = LogFactory.getLog(SupplierDeferredSecurityContext.class); + + private final Supplier supplier; + + private final SecurityContextHolderStrategy strategy; + + private SecurityContext securityContext; + + private boolean missingContext; + + SupplierDeferredSecurityContext(Supplier supplier, SecurityContextHolderStrategy strategy) { + this.supplier = supplier; + this.strategy = strategy; + } + + @Override + public SecurityContext get() { + init(); + return this.securityContext; + } + + @Override + public boolean isGenerated() { + init(); + return this.missingContext; + } + + private void init() { + if (this.securityContext != null) { + return; + } + + this.securityContext = this.supplier.get(); + this.missingContext = (this.securityContext == null); + if (this.missingContext) { + this.securityContext = this.strategy.createEmptyContext(); + if (logger.isTraceEnabled()) { + logger.trace(LogMessage.format("Created %s", this.securityContext)); + } + } + } + +} diff --git a/web/src/test/java/org/springframework/security/web/context/DelegatingSecurityContextRepositoryTests.java b/web/src/test/java/org/springframework/security/web/context/DelegatingSecurityContextRepositoryTests.java new file mode 100644 index 0000000000..ae3220e6bf --- /dev/null +++ b/web/src/test/java/org/springframework/security/web/context/DelegatingSecurityContextRepositoryTests.java @@ -0,0 +1,144 @@ +/* + * Copyright 2002-2022 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.springframework.security.web.context; + +import java.util.ArrayList; +import java.util.List; + +import org.junit.jupiter.api.BeforeEach; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; + +import org.springframework.mock.web.MockHttpServletRequest; +import org.springframework.mock.web.MockHttpServletResponse; +import org.springframework.security.authentication.TestingAuthenticationToken; +import org.springframework.security.core.context.DeferredSecurityContext; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.SecurityContextHolderStrategy; +import org.springframework.security.core.context.SecurityContextImpl; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.mockito.BDDMockito.given; +import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoInteractions; +import static org.mockito.Mockito.verifyNoMoreInteractions; + +/** + * Tests for {@link DelegatingSecurityContextRepository}. + * + * @author Steve Riesenberg + * @since 5.8 + */ +public class DelegatingSecurityContextRepositoryTests { + + private MockHttpServletRequest request; + + private MockHttpServletResponse response; + + private SecurityContextHolderStrategy strategy; + + private SecurityContext securityContext; + + @BeforeEach + public void setUp() { + this.request = new MockHttpServletRequest(); + this.response = new MockHttpServletResponse(); + this.strategy = mock(SecurityContextHolderStrategy.class); + this.securityContext = mock(SecurityContext.class); + } + + @ParameterizedTest + @CsvSource({ "0,false", "1,false", "2,false", "-1,true" }) + public void loadDeferredContextWhenIsGeneratedThenReturnsSecurityContext(int expectedIndex, boolean isGenerated) { + SecurityContext actualSecurityContext = new SecurityContextImpl( + new TestingAuthenticationToken("user", "password")); + SecurityContext emptySecurityContext = new SecurityContextImpl(); + given(this.strategy.createEmptyContext()).willReturn(emptySecurityContext); + List delegates = new ArrayList<>(); + for (int i = 0; i < 3; i++) { + SecurityContext context = (i == expectedIndex) ? actualSecurityContext : null; + SecurityContextRepository repository = mock(SecurityContextRepository.class); + SupplierDeferredSecurityContext supplier = new SupplierDeferredSecurityContext(() -> context, + this.strategy); + given(repository.loadDeferredContext(this.request)).willReturn(supplier); + delegates.add(repository); + } + + DelegatingSecurityContextRepository repository = new DelegatingSecurityContextRepository(delegates); + DeferredSecurityContext deferredSecurityContext = repository.loadDeferredContext(this.request); + SecurityContext expectedSecurityContext = (isGenerated) ? emptySecurityContext : actualSecurityContext; + assertThat(deferredSecurityContext.get()).isEqualTo(expectedSecurityContext); + assertThat(deferredSecurityContext.isGenerated()).isEqualTo(isGenerated); + + for (SecurityContextRepository delegate : delegates) { + verify(delegate).loadDeferredContext(this.request); + verifyNoMoreInteractions(delegate); + } + } + + @Test + public void saveContextAlwaysCallsDelegates() { + List delegates = new ArrayList<>(); + for (int i = 0; i < 3; i++) { + SecurityContextRepository repository = mock(SecurityContextRepository.class); + delegates.add(repository); + } + + DelegatingSecurityContextRepository repository = new DelegatingSecurityContextRepository(delegates); + repository.saveContext(this.securityContext, this.request, this.response); + for (SecurityContextRepository delegate : delegates) { + verify(delegate).saveContext(this.securityContext, this.request, this.response); + verifyNoMoreInteractions(delegate); + } + } + + @Test + public void containsContextWhenAllDelegatesReturnFalseThenReturnsFalse() { + List delegates = new ArrayList<>(); + for (int i = 0; i < 3; i++) { + SecurityContextRepository repository = mock(SecurityContextRepository.class); + given(repository.containsContext(this.request)).willReturn(false); + delegates.add(repository); + } + + DelegatingSecurityContextRepository repository = new DelegatingSecurityContextRepository(delegates); + assertThat(repository.containsContext(this.request)).isFalse(); + for (SecurityContextRepository delegate : delegates) { + verify(delegate).containsContext(this.request); + verifyNoMoreInteractions(delegate); + } + } + + @Test + public void containsContextWhenFirstDelegatesReturnTrueThenReturnsTrue() { + List delegates = new ArrayList<>(); + for (int i = 0; i < 3; i++) { + SecurityContextRepository repository = mock(SecurityContextRepository.class); + given(repository.containsContext(this.request)).willReturn(true); + delegates.add(repository); + } + + DelegatingSecurityContextRepository repository = new DelegatingSecurityContextRepository(delegates); + assertThat(repository.containsContext(this.request)).isTrue(); + verify(delegates.get(0)).containsContext(this.request); + verifyNoInteractions(delegates.get(1)); + verifyNoInteractions(delegates.get(2)); + } + +} diff --git a/web/src/test/java/org/springframework/security/web/context/SecurityContextHolderFilterTests.java b/web/src/test/java/org/springframework/security/web/context/SecurityContextHolderFilterTests.java index 4e75f589eb..26261899ab 100644 --- a/web/src/test/java/org/springframework/security/web/context/SecurityContextHolderFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/context/SecurityContextHolderFilterTests.java @@ -75,7 +75,8 @@ class SecurityContextHolderFilterTests { void doFilterThenSetsAndClearsSecurityContextHolder() throws Exception { Authentication authentication = TestAuthentication.authenticatedUser(); SecurityContext expectedContext = new SecurityContextImpl(authentication); - given(this.repository.loadContext(this.requestArg.capture())).willReturn(() -> expectedContext); + given(this.repository.loadDeferredContext(this.requestArg.capture())) + .willReturn(new SupplierDeferredSecurityContext(() -> expectedContext, this.strategy)); FilterChain filterChain = (request, response) -> assertThat(SecurityContextHolder.getContext()) .isEqualTo(expectedContext); @@ -88,7 +89,8 @@ class SecurityContextHolderFilterTests { void doFilterThenSetsAndClearsSecurityContextHolderStrategy() throws Exception { Authentication authentication = TestAuthentication.authenticatedUser(); SecurityContext expectedContext = new SecurityContextImpl(authentication); - given(this.repository.loadContext(this.requestArg.capture())).willReturn(() -> expectedContext); + given(this.repository.loadDeferredContext(this.requestArg.capture())) + .willReturn(new SupplierDeferredSecurityContext(() -> expectedContext, this.strategy)); FilterChain filterChain = (request, response) -> { }; diff --git a/web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java b/web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java index e1e570355f..1459305d00 100644 --- a/web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java +++ b/web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java @@ -16,12 +16,10 @@ package org.springframework.security.web.context; -import java.util.function.Supplier; - import jakarta.servlet.http.HttpServletRequest; import org.junit.jupiter.api.Test; -import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.core.context.DeferredSecurityContext; import org.springframework.security.core.context.SecurityContextImpl; import static org.mockito.ArgumentMatchers.any; @@ -41,8 +39,8 @@ class SecurityContextRepositoryTests { @Test void loadContextHttpRequestResponseHolderWhenInvokeSupplierTwiceThenOnlyInvokesLoadContextOnce() { given(this.repository.loadContext(any(HttpRequestResponseHolder.class))).willReturn(new SecurityContextImpl()); - Supplier deferredContext = this.repository.loadContext(mock(HttpServletRequest.class)); - verify(this.repository).loadContext(any(HttpServletRequest.class)); + DeferredSecurityContext deferredContext = this.repository.loadDeferredContext(mock(HttpServletRequest.class)); + verify(this.repository).loadDeferredContext(any(HttpServletRequest.class)); deferredContext.get(); verify(this.repository).loadContext(any(HttpRequestResponseHolder.class)); deferredContext.get();