Default to DelegatingSecurityContextRepository

Closes gh-12023
Closes gh-12049

Author: Steve Riesenberg

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java

@@ -21,7 +21,9 @@
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.context.DelegatingSecurityContextRepository;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextHolderFilter;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.context.SecurityContextRepository;
@@ -96,7 +98,8 @@ SecurityContextRepository getSecurityContextRepository() {
 		SecurityContextRepository securityContextRepository = getBuilder()
 				.getSharedObject(SecurityContextRepository.class);
 		if (securityContextRepository == null) {
-			securityContextRepository = new HttpSessionSecurityContextRepository();
+			securityContextRepository = new DelegatingSecurityContextRepository(
+					new RequestAttributeSecurityContextRepository(), new HttpSessionSecurityContextRepository());
 		}
 		return securityContextRepository;
 	}

config/src/test/java/org/springframework/security/config/TestDeferredSecurityContext.java

@@ -0,0 +1,46 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config;
+
+import org.springframework.security.core.context.DeferredSecurityContext;
+import org.springframework.security.core.context.SecurityContext;
+
+/**
+ * @author Steve Riesenberg
+ */
+public class TestDeferredSecurityContext implements DeferredSecurityContext {
+
+	private SecurityContext securityContext;
+
+	private boolean isGenerated;
+
+	public TestDeferredSecurityContext(SecurityContext securityContext, boolean isGenerated) {
+		this.securityContext = securityContext;
+		this.isGenerated = isGenerated;
+	}
+
+	@Override
+	public SecurityContext get() {
+		return this.securityContext;
+	}
+
+	@Override
+	public boolean isGenerated() {
+		return this.isGenerated;
+	}
+
+}

config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java

@@ -28,6 +28,7 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.TestDeferredSecurityContext;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.TestHttpSecurity;
@@ -83,10 +84,10 @@ public void configureWhenRegisteringObjectPostProcessorThenInvokedOnSecurityCont
 	@Test
 	public void securityContextWhenInvokedTwiceThenUsesOriginalSecurityContextRepository() throws Exception {
 		this.spring.register(DuplicateDoesNotOverrideConfig.class).autowire();
-		given(DuplicateDoesNotOverrideConfig.SCR.loadContext(any(HttpServletRequest.class)))
-				.willReturn(() -> mock(SecurityContext.class));
+		given(DuplicateDoesNotOverrideConfig.SCR.loadDeferredContext(any(HttpServletRequest.class)))
+				.willReturn(new TestDeferredSecurityContext(mock(SecurityContext.class), false));
 		this.mvc.perform(get("/"));
-		verify(DuplicateDoesNotOverrideConfig.SCR).loadContext(any(HttpServletRequest.class));
+		verify(DuplicateDoesNotOverrideConfig.SCR).loadDeferredContext(any(HttpServletRequest.class));
 	}
 
 	// SEC-2932

config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java

@@ -27,6 +27,7 @@
 import org.springframework.context.annotation.Configuration;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.config.TestDeferredSecurityContext;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -103,7 +104,8 @@ public void sessionManagementWhenConfiguredThenDoesNotOverrideRequestCache() thr
 	public void sessionManagementWhenConfiguredThenDoesNotOverrideSecurityContextRepository() throws Exception {
 		SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO = mock(SecurityContextRepository.class);
 		given(SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO
-				.loadContext(any(HttpServletRequest.class))).willReturn(() -> mock(SecurityContext.class));
+				.loadDeferredContext(any(HttpServletRequest.class)))
+						.willReturn(new TestDeferredSecurityContext(mock(SecurityContext.class), false));
 		this.spring.register(SessionManagementSecurityContextRepositoryConfig.class).autowire();
 		this.mvc.perform(get("/"));
 	}

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

@@ -68,14 +68,14 @@
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.jaas.AuthorityGranter;
+import org.springframework.security.config.TestDeferredSecurityContext;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.context.DeferredSecurityContext;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -473,7 +473,8 @@ public void getWhenAuthenticatingThenConsultsCustomSecurityContextRepository() t
 		this.spring.configLocations(xml("SecurityContextRepository")).autowire();
 		SecurityContextRepository repository = this.spring.getContext().getBean(SecurityContextRepository.class);
 		SecurityContext context = new SecurityContextImpl(new TestingAuthenticationToken("user", "password"));
-		given(repository.loadContext(any(HttpServletRequest.class))).willReturn(() -> context);
+		given(repository.loadDeferredContext(any(HttpServletRequest.class)))
+				.willReturn(new TestDeferredSecurityContext(context, false));
 		// @formatter:off
 		MvcResult result = this.mvc.perform(get("/protected").with(userCredentials()))
 				.andExpect(status().isOk())
@@ -1039,27 +1040,4 @@ public String encodeRedirectUrl(String url) {
 
 	}
 
-	static class TestDeferredSecurityContext implements DeferredSecurityContext {
-
-		private SecurityContext securityContext;
-
-		private boolean isGenerated;
-
-		TestDeferredSecurityContext(SecurityContext securityContext, boolean isGenerated) {
-			this.securityContext = securityContext;
-			this.isGenerated = isGenerated;
-		}
-
-		@Override
-		public SecurityContext get() {
-			return this.securityContext;
-		}
-
-		@Override
-		public boolean isGenerated() {
-			return this.isGenerated;
-		}
-
-	}
-
 }