diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java index 7d9f5553dd..056f02e8df 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java @@ -64,7 +64,7 @@ import org.springframework.security.web.session.ForceEagerSessionCreationFilter; public final class SecurityContextConfigurer> extends AbstractHttpConfigurer, H> { - private boolean requireExplicitSave; + private boolean requireExplicitSave = true; /** * Creates a new instance diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAddFilterTest.java b/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAddFilterTest.java index f58f89b212..e55abde132 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAddFilterTest.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAddFilterTest.java @@ -39,7 +39,7 @@ import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.access.ExceptionTranslationFilter; import org.springframework.security.web.access.channel.ChannelProcessingFilter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; -import org.springframework.security.web.context.SecurityContextPersistenceFilter; +import org.springframework.security.web.context.SecurityContextHolderFilter; import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; import org.springframework.security.web.header.HeaderWriterFilter; @@ -95,7 +95,7 @@ public class HttpSecurityAddFilterTest { this.spring.register(MyOtherFilterRelativeToMyFilterAtConfig.class).autowire(); assertThatFilters().containsSubsequence(WebAsyncManagerIntegrationFilter.class, MyFilter.class, - MyOtherFilter.class, SecurityContextPersistenceFilter.class); + MyOtherFilter.class, SecurityContextHolderFilter.class); } @Test diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationResourceServerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationResourceServerTests.java index 5f5319dcf7..a2f099c0bb 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationResourceServerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationResourceServerTests.java @@ -90,6 +90,7 @@ public class SecurityReactorContextConfigurationResourceServerTests { @Override protected void configure(HttpSecurity http) throws Exception { + http.securityContext().requireExplicitSave(false); } @Bean diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java index 32fbf9fb73..c2311e4947 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java @@ -49,7 +49,7 @@ import org.springframework.security.web.access.intercept.FilterSecurityIntercept import org.springframework.security.web.authentication.AnonymousAuthenticationFilter; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; import org.springframework.security.web.authentication.logout.LogoutFilter; -import org.springframework.security.web.context.SecurityContextPersistenceFilter; +import org.springframework.security.web.context.SecurityContextHolderFilter; import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter; import org.springframework.security.web.csrf.CsrfFilter; import org.springframework.security.web.csrf.CsrfToken; @@ -105,7 +105,7 @@ public class DefaultFiltersTests { List> classes = secondFilter.getFilters().stream().map(Filter::getClass) .collect(Collectors.toList()); assertThat(classes.contains(WebAsyncManagerIntegrationFilter.class)).isTrue(); - assertThat(classes.contains(SecurityContextPersistenceFilter.class)).isTrue(); + assertThat(classes.contains(SecurityContextHolderFilter.class)).isTrue(); assertThat(classes.contains(HeaderWriterFilter.class)).isTrue(); assertThat(classes.contains(LogoutFilter.class)).isTrue(); assertThat(classes.contains(CsrfFilter.class)).isTrue(); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java index 59e0db7892..03e6f617ee 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java @@ -20,6 +20,7 @@ import java.util.List; import java.util.stream.Collectors; import jakarta.servlet.Filter; +import jakarta.servlet.http.HttpServletRequest; import jakarta.servlet.http.HttpSession; import org.junit.jupiter.api.Test; import org.junit.jupiter.api.extension.ExtendWith; @@ -74,16 +75,16 @@ public class SecurityContextConfigurerTests { @Test public void configureWhenRegisteringObjectPostProcessorThenInvokedOnSecurityContextPersistenceFilter() { this.spring.register(ObjectPostProcessorConfig.class).autowire(); - verify(ObjectPostProcessorConfig.objectPostProcessor).postProcess(any(SecurityContextPersistenceFilter.class)); + verify(ObjectPostProcessorConfig.objectPostProcessor).postProcess(any(SecurityContextHolderFilter.class)); } @Test public void securityContextWhenInvokedTwiceThenUsesOriginalSecurityContextRepository() throws Exception { this.spring.register(DuplicateDoesNotOverrideConfig.class).autowire(); - given(DuplicateDoesNotOverrideConfig.SCR.loadContext(any(HttpRequestResponseHolder.class))) - .willReturn(mock(SecurityContext.class)); + given(DuplicateDoesNotOverrideConfig.SCR.loadContext(any(HttpServletRequest.class))) + .willReturn(() -> mock(SecurityContext.class)); this.mvc.perform(get("/")); - verify(DuplicateDoesNotOverrideConfig.SCR).loadContext(any(HttpRequestResponseHolder.class)); + verify(DuplicateDoesNotOverrideConfig.SCR).loadContext(any(HttpServletRequest.class)); } // SEC-2932 diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java index 0874cd0d02..d2c0926e9b 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java @@ -42,7 +42,6 @@ import org.springframework.security.web.authentication.session.ChangeSessionIdAu import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy; import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy; import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy; -import org.springframework.security.web.context.HttpRequestResponseHolder; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.savedrequest.RequestCache; import org.springframework.security.web.session.ConcurrentSessionFilter; @@ -101,11 +100,9 @@ public class SessionManagementConfigurerTests { public void sessionManagementWhenConfiguredThenDoesNotOverrideSecurityContextRepository() throws Exception { SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO = mock(SecurityContextRepository.class); given(SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO - .loadContext(any(HttpRequestResponseHolder.class))).willReturn(mock(SecurityContext.class)); + .loadContext(any(HttpServletRequest.class))).willReturn(() -> mock(SecurityContext.class)); this.spring.register(SessionManagementSecurityContextRepositoryConfig.class).autowire(); this.mvc.perform(get("/")); - verify(SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO) - .saveContext(any(SecurityContext.class), any(HttpServletRequest.class), any(HttpServletResponse.class)); } @Test