Add Support for @Transient SecurityContext

Closes gh-9995
This commit is contained in:
Rob Winch
2022-02-02 17:04:44 -06:00
parent f465403a99
commit 70fa8b1fdb
3 changed files with 112 additions and 4 deletions

View File

@@ -43,13 +43,16 @@ import org.springframework.mock.web.MockHttpSession;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.authentication.AuthenticationTrustResolver;
import org.springframework.security.authentication.TestAuthentication;
import org.springframework.security.authentication.TestingAuthenticationToken;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.Transient;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextImpl;
import org.springframework.security.core.context.TransientSecurityContext;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
@@ -587,6 +590,68 @@ public class HttpSessionSecurityContextRepositoryTests {
assertThatIllegalStateException().isThrownBy(() -> repo.saveContext(context, request, response));
}
@Test
public void saveContextWhenTransientSecurityContextThenSkipped() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContext context = repo.loadContext(holder);
SecurityContext transientSecurityContext = new TransientSecurityContext();
Authentication authentication = TestAuthentication.authenticatedUser();
transientSecurityContext.setAuthentication(authentication);
repo.saveContext(transientSecurityContext, holder.getRequest(), holder.getResponse());
MockHttpSession session = (MockHttpSession) request.getSession(false);
assertThat(session).isNull();
}
@Test
public void saveContextWhenTransientSecurityContextSubclassThenSkipped() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContext context = repo.loadContext(holder);
SecurityContext transientSecurityContext = new TransientSecurityContext() {
};
Authentication authentication = TestAuthentication.authenticatedUser();
transientSecurityContext.setAuthentication(authentication);
repo.saveContext(transientSecurityContext, holder.getRequest(), holder.getResponse());
MockHttpSession session = (MockHttpSession) request.getSession(false);
assertThat(session).isNull();
}
@Test
public void saveContextWhenTransientSecurityContextAndSessionExistsThenSkipped() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
request.getSession(); // ensure the session exists
MockHttpServletResponse response = new MockHttpServletResponse();
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContext context = repo.loadContext(holder);
SecurityContext transientSecurityContext = new TransientSecurityContext();
Authentication authentication = TestAuthentication.authenticatedUser();
transientSecurityContext.setAuthentication(authentication);
repo.saveContext(transientSecurityContext, holder.getRequest(), holder.getResponse());
MockHttpSession session = (MockHttpSession) request.getSession(false);
assertThat(Collections.list(session.getAttributeNames())).isEmpty();
}
@Test
public void saveContextWhenTransientSecurityContextWithCustomAnnotationThenSkipped() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
MockHttpServletResponse response = new MockHttpServletResponse();
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContext context = repo.loadContext(holder);
SecurityContext transientSecurityContext = new TransientSecurityContext();
Authentication authentication = TestAuthentication.authenticatedUser();
transientSecurityContext.setAuthentication(authentication);
repo.saveContext(transientSecurityContext, holder.getRequest(), holder.getResponse());
MockHttpSession session = (MockHttpSession) request.getSession(false);
assertThat(session).isNull();
}
@Test
public void saveContextWhenTransientAuthenticationThenSkipped() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();