HttpSessionSecurityContextRepository saves with original response
Previously, the HttpSessionSecurityContextRepository unnecessarily required the HttpServletResponse from the HttpReqeustResponseHolder passed into loadContext. This meant code that wanted to save a SecurityContext had to have a reference to the original HttpRequestResponseHolder. Often that implied that the code that saves the SecurityContext must also load the SecurityContext. This change allows any request / response to be used to save the SecurityContext which means any code can save the SecurityContext not just the code that loaded it. This sets up the code to be permit requiring explicit saves. Using the request/response from the HttpRequestResponseHolder is only necessary for implicit saves. Closes gh-10947
This commit is contained in:
@@ -58,7 +58,6 @@ import org.springframework.security.core.userdetails.UserDetails;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
|
||||
import static org.mockito.ArgumentMatchers.anyBoolean;
|
||||
import static org.mockito.BDDMockito.given;
|
||||
import static org.mockito.Mockito.mock;
|
||||
@@ -581,13 +580,16 @@ public class HttpSessionSecurityContextRepositoryTests {
|
||||
}
|
||||
|
||||
@Test
|
||||
public void failsWithStandardResponse() {
|
||||
public void standardResponseWorks() {
|
||||
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
|
||||
MockHttpServletRequest request = new MockHttpServletRequest();
|
||||
MockHttpServletResponse response = new MockHttpServletResponse();
|
||||
SecurityContext context = SecurityContextHolder.createEmptyContext();
|
||||
context.setAuthentication(this.testToken);
|
||||
assertThatIllegalStateException().isThrownBy(() -> repo.saveContext(context, request, response));
|
||||
repo.saveContext(context, request, response);
|
||||
assertThat(request.getSession(false)).isNotNull();
|
||||
assertThat(request.getSession().getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY))
|
||||
.isEqualTo(context);
|
||||
}
|
||||
|
||||
@Test
|
||||
|
||||
Reference in New Issue
Block a user