Add SecurityContextRepository.loadContext(HttpServletRequest)

This allows loading the SecurityContext lazily, without the need for the
response, and does not attempt to automatically save the request when
the response is comitted.

Closes gh-11028
This commit is contained in:
Rob Winch
2022-03-25 13:45:30 -05:00
parent 8940719dbb
commit 67fd46bfa6
7 changed files with 57 additions and 15 deletions

View File

@@ -64,6 +64,7 @@ import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.reset;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoInteractions;
/**
* @author Luke Taylor
@@ -142,6 +143,33 @@ public class HttpSessionSecurityContextRepositoryTests {
assertThat(repo.loadContext(holder)).isEqualTo(SecurityContextHolder.createEmptyContext());
}
@Test
public void loadContextHttpServletRequestWhenNotSavedThenEmptyContextReturned() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
assertThat(repo.loadContext(request).get()).isEqualTo(SecurityContextHolder.createEmptyContext());
}
@Test
public void loadContextHttpServletRequestWhenSavedThenSavedContextReturned() {
SecurityContextImpl expectedContext = new SecurityContextImpl(this.testToken);
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
repo.saveContext(expectedContext, request, response);
assertThat(repo.loadContext(request).get()).isEqualTo(expectedContext);
}
@Test
public void loadContextHttpServletRequestWhenNotAccessedThenHttpSessionNotAccessed() {
HttpSession session = mock(HttpSession.class);
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
request.setSession(session);
repo.loadContext(request);
verifyNoInteractions(session);
}
@Test
public void existingContextIsSuccessFullyLoadedFromSessionAndSavedBack() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();

View File

@@ -50,11 +50,8 @@ class SecurityContextHolderFilterTests {
@Mock
private HttpServletResponse response;
@Mock
private FilterChain chain;
@Captor
private ArgumentCaptor<HttpRequestResponseHolder> requestResponse;
private ArgumentCaptor<HttpServletRequest> requestArg;
private SecurityContextHolderFilter filter;
@@ -72,7 +69,7 @@ class SecurityContextHolderFilterTests {
void doFilterThenSetsAndClearsSecurityContextHolder() throws Exception {
Authentication authentication = TestAuthentication.authenticatedUser();
SecurityContext expectedContext = new SecurityContextImpl(authentication);
given(this.repository.loadContext(this.requestResponse.capture())).willReturn(expectedContext);
given(this.repository.loadContext(this.requestArg.capture())).willReturn(() -> expectedContext);
FilterChain filterChain = (request, response) -> assertThat(SecurityContextHolder.getContext())
.isEqualTo(expectedContext);