RequestAttributeSecurityContextRepository never null SecurityContext

Previously loadContext(HttpServletRequest) could return a Supplier that
returned a null SecurityContext

This commit ensures that null is never returned by the Supplier by
returning SecurityContextHolder.createEmptyContext() instead.

Closes gh-11606
This commit is contained in:
Rob Winch
2022-08-08 13:52:12 -05:00
parent 99f768bab9
commit 269c711a64
2 changed files with 27 additions and 4 deletions

View File

@@ -16,6 +16,8 @@
package org.springframework.security.web.context;
import java.util.function.Supplier;
import org.junit.jupiter.api.Test;
import org.springframework.mock.web.MockHttpServletRequest;
@@ -67,4 +69,17 @@ class RequestAttributeSecurityContextRepositoryTests {
assertThat(this.repository.containsContext(this.request)).isTrue();
}
@Test
void loadDeferredContextWhenNotPresentThenEmptyContext() {
Supplier<SecurityContext> deferredContext = this.repository.loadContext(this.request);
assertThat(deferredContext.get()).isEqualTo(SecurityContextHolder.createEmptyContext());
}
@Test
void loadContextWhenNotPresentThenEmptyContext() {
SecurityContext context = this.repository
.loadContext(new HttpRequestResponseHolder(this.request, this.response));
assertThat(context).isEqualTo(SecurityContextHolder.createEmptyContext());
}
}