AnonymousAuthenticationFilter Avoids Eager SecurityContext Access
Previously AnonymousAuthenticationFilter accessed the SecurityContext to determine if anonymous authentication needed setup eagerly. Now this is done lazily to avoid unnecessary access to the SecurityContext which in turn avoids unnecessary HTTP Session access. Closes gh-11457
This commit is contained in:
@@ -17,6 +17,7 @@
|
||||
package org.springframework.security.web.authentication;
|
||||
|
||||
import java.io.IOException;
|
||||
import java.util.function.Supplier;
|
||||
|
||||
import javax.servlet.Filter;
|
||||
import javax.servlet.FilterChain;
|
||||
@@ -34,6 +35,7 @@ import org.springframework.mock.web.MockHttpServletResponse;
|
||||
import org.springframework.security.authentication.TestingAuthenticationToken;
|
||||
import org.springframework.security.core.Authentication;
|
||||
import org.springframework.security.core.authority.AuthorityUtils;
|
||||
import org.springframework.security.core.context.SecurityContext;
|
||||
import org.springframework.security.core.context.SecurityContextHolder;
|
||||
import org.springframework.security.core.context.SecurityContextHolderStrategy;
|
||||
import org.springframework.security.core.context.SecurityContextImpl;
|
||||
@@ -41,7 +43,6 @@ import org.springframework.security.core.context.SecurityContextImpl;
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.assertj.core.api.Assertions.fail;
|
||||
import static org.mockito.ArgumentMatchers.any;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
import static org.mockito.Mockito.never;
|
||||
@@ -80,19 +81,16 @@ public class AnonymousAuthenticationFilterTests {
|
||||
public void testOperationWhenAuthenticationExistsInContextHolder() throws Exception {
|
||||
// Put an Authentication object into the SecurityContextHolder
|
||||
Authentication originalAuth = new TestingAuthenticationToken("user", "password", "ROLE_A");
|
||||
SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
|
||||
given(strategy.getContext()).willReturn(new SecurityContextImpl(originalAuth));
|
||||
SecurityContext originalContext = new SecurityContextImpl(originalAuth);
|
||||
SecurityContextHolder.setContext(originalContext);
|
||||
AnonymousAuthenticationFilter filter = new AnonymousAuthenticationFilter("qwerty", "anonymousUsername",
|
||||
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
|
||||
filter.setSecurityContextHolderStrategy(strategy);
|
||||
// Test
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
request.setRequestURI("x");
|
||||
executeFilterInContainerSimulator(mock(FilterConfig.class), filter, request, new MockHttpServletResponse(),
|
||||
new MockFilterChain(true));
|
||||
// Ensure filter didn't change our original object
|
||||
verify(strategy).getContext();
|
||||
verify(strategy, never()).setContext(any());
|
||||
// Ensure getDeferredContext still
|
||||
assertThat(SecurityContextHolder.getContext()).isEqualTo(originalContext);
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -111,6 +109,25 @@ public class AnonymousAuthenticationFilterTests {
|
||||
// again
|
||||
}
|
||||
|
||||
@Test
|
||||
public void doFilterDoesNotGetContext() throws Exception {
|
||||
Supplier<SecurityContext> originalSupplier = mock(Supplier.class);
|
||||
Authentication originalAuth = new TestingAuthenticationToken("user", "password", "ROLE_A");
|
||||
SecurityContext originalContext = new SecurityContextImpl(originalAuth);
|
||||
SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
|
||||
given(strategy.getDeferredContext()).willReturn(originalSupplier);
|
||||
given(strategy.getContext()).willReturn(originalContext);
|
||||
AnonymousAuthenticationFilter filter = new AnonymousAuthenticationFilter("qwerty", "anonymousUsername",
|
||||
AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS"));
|
||||
filter.setSecurityContextHolderStrategy(strategy);
|
||||
filter.afterPropertiesSet();
|
||||
|
||||
executeFilterInContainerSimulator(mock(FilterConfig.class), filter, new MockHttpServletRequest(),
|
||||
new MockHttpServletResponse(), new MockFilterChain(true));
|
||||
verify(strategy, never()).getContext();
|
||||
verify(originalSupplier, never()).get();
|
||||
}
|
||||
|
||||
private class MockFilterChain implements FilterChain {
|
||||
|
||||
private boolean expectToProceed;
|
||||
|
||||
Reference in New Issue
Block a user