HttpSessionSecurityContextRepository saves with original response

Previously, the HttpSessionSecurityContextRepository unnecessarily required
the HttpServletResponse from the HttpReqeustResponseHolder passed into
loadContext. This meant code that wanted to save a SecurityContext had to
have a reference to the original HttpRequestResponseHolder. Often that
implied that the code that saves the SecurityContext must also load the
SecurityContext.

This change allows any request / response to be used to save the
SecurityContext which means any code can save the SecurityContext not just
the code that loaded it. This sets up the code to be permit requiring
explicit saves. Using the request/response from the
HttpRequestResponseHolder is only necessary for implicit saves.

Closes gh-10947
This commit is contained in:
Rob Winch
2022-02-18 15:13:49 -06:00
parent bc2bb8cb96
commit 65ec2659c4
3 changed files with 14 additions and 6 deletions

View File

@@ -58,7 +58,6 @@ import org.springframework.security.core.userdetails.UserDetails;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
import static org.assertj.core.api.Assertions.assertThatIllegalStateException;
import static org.mockito.ArgumentMatchers.anyBoolean;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
@@ -581,13 +580,16 @@ public class HttpSessionSecurityContextRepositoryTests {
}
@Test
public void failsWithStandardResponse() {
public void standardResponseWorks() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(this.testToken);
assertThatIllegalStateException().isThrownBy(() -> repo.saveContext(context, request, response));
repo.saveContext(context, request, response);
assertThat(request.getSession(false)).isNotNull();
assertThat(request.getSession().getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY))
.isEqualTo(context);
}
@Test