From 269c711a6409c8f4125f261dd047321f94b58255 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Mon, 8 Aug 2022 13:52:12 -0500 Subject: [PATCH] RequestAttributeSecurityContextRepository never null SecurityContext Previously loadContext(HttpServletRequest) could return a Supplier that returned a null SecurityContext This commit ensures that null is never returned by the Supplier by returning SecurityContextHolder.createEmptyContext() instead. Closes gh-11606 --- ...equestAttributeSecurityContextRepository.java | 16 ++++++++++++---- ...tAttributeSecurityContextRepositoryTests.java | 15 +++++++++++++++ 2 files changed, 27 insertions(+), 4 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java b/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java index d72045dfaf..102450203d 100644 --- a/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java +++ b/web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java @@ -66,18 +66,26 @@ public final class RequestAttributeSecurityContextRepository implements Security @Override public boolean containsContext(HttpServletRequest request) { - return loadContext(request).get() != null; + return getContext(request) != null; } @Override public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) { - SecurityContext context = loadContext(requestResponseHolder.getRequest()).get(); - return (context != null) ? context : SecurityContextHolder.createEmptyContext(); + return getContextOrEmpty(requestResponseHolder.getRequest()); } @Override public Supplier loadContext(HttpServletRequest request) { - return () -> (SecurityContext) request.getAttribute(this.requestAttributeName); + return () -> getContextOrEmpty(request); + } + + private SecurityContext getContextOrEmpty(HttpServletRequest request) { + SecurityContext context = getContext(request); + return (context != null) ? context : SecurityContextHolder.createEmptyContext(); + } + + private SecurityContext getContext(HttpServletRequest request) { + return (SecurityContext) request.getAttribute(this.requestAttributeName); } @Override diff --git a/web/src/test/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepositoryTests.java b/web/src/test/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepositoryTests.java index 5fc4d4afb7..93390cf836 100644 --- a/web/src/test/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepositoryTests.java +++ b/web/src/test/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepositoryTests.java @@ -16,6 +16,8 @@ package org.springframework.security.web.context; +import java.util.function.Supplier; + import org.junit.jupiter.api.Test; import org.springframework.mock.web.MockHttpServletRequest; @@ -67,4 +69,17 @@ class RequestAttributeSecurityContextRepositoryTests { assertThat(this.repository.containsContext(this.request)).isTrue(); } + @Test + void loadDeferredContextWhenNotPresentThenEmptyContext() { + Supplier deferredContext = this.repository.loadContext(this.request); + assertThat(deferredContext.get()).isEqualTo(SecurityContextHolder.createEmptyContext()); + } + + @Test + void loadContextWhenNotPresentThenEmptyContext() { + SecurityContext context = this.repository + .loadContext(new HttpRequestResponseHolder(this.request, this.response)); + assertThat(context).isEqualTo(SecurityContextHolder.createEmptyContext()); + } + }