Add DeferredSecurityContext

Issue gh-12023

Author: Steve Riesenberg

config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java

@@ -75,6 +75,7 @@
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.context.DeferredSecurityContext;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -490,7 +491,8 @@ public void getWhenExplicitSaveAndRepositoryAndAuthenticatingThenConsultsCustomS
 		this.spring.configLocations(xml("ExplicitSaveAndExplicitRepository")).autowire();
 		SecurityContextRepository repository = this.spring.getContext().getBean(SecurityContextRepository.class);
 		SecurityContext context = new SecurityContextImpl(new TestingAuthenticationToken("user", "password"));
-		given(repository.loadContext(any(HttpServletRequest.class))).willReturn(() -> context);
+		given(repository.loadDeferredContext(any(HttpServletRequest.class)))
+				.willReturn(new TestDeferredSecurityContext(context, false));
 		// @formatter:off
 		MvcResult result = this.mvc.perform(formLogin())
 				.andExpect(status().is3xxRedirection())
@@ -1044,4 +1046,27 @@ public String encodeRedirectUrl(String url) {
 
 	}
 
+	static class TestDeferredSecurityContext implements DeferredSecurityContext {
+
+		private SecurityContext securityContext;
+
+		private boolean isGenerated;
+
+		TestDeferredSecurityContext(SecurityContext securityContext, boolean isGenerated) {
+			this.securityContext = securityContext;
+			this.isGenerated = isGenerated;
+		}
+
+		@Override
+		public SecurityContext get() {
+			return this.securityContext;
+		}
+
+		@Override
+		public boolean isGenerated() {
+			return this.isGenerated;
+		}
+
+	}
+
 }

core/src/main/java/org/springframework/security/core/context/DeferredSecurityContext.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.core.context;
+
+import java.util.function.Supplier;
+
+/**
+ * An interface that allows delayed access to a {@link SecurityContext} that may be
+ * generated.
+ *
+ * @author Steve Riesenberg
+ * @since 5.8
+ */
+public interface DeferredSecurityContext extends Supplier<SecurityContext> {
+
+	/**
+	 * Returns true if {@link #get()} refers to a generated {@link SecurityContext} or
+	 * false if it already existed.
+	 * @return true if {@link #get()} refers to a generated {@link SecurityContext} or
+	 * false if it already existed
+	 */
+	boolean isGenerated();
+
+}

web/src/main/java/org/springframework/security/web/context/HttpRequestResponseHolder.java

@@ -27,7 +27,8 @@
  *
  * @author Luke Taylor
  * @since 3.0
- * @deprecated Use {@link SecurityContextRepository#loadContext(HttpServletRequest)}
+ * @deprecated Use
+ * {@link SecurityContextRepository#loadDeferredContext(HttpServletRequest)}
  */
 @Deprecated
 public final class HttpRequestResponseHolder {

web/src/main/java/org/springframework/security/web/context/HttpSessionSecurityContextRepository.java

@@ -16,6 +16,8 @@
 
 package org.springframework.security.web.context;
 
+import java.util.function.Supplier;
+
 import javax.servlet.AsyncContext;
 import javax.servlet.ServletRequest;
 import javax.servlet.ServletResponse;
@@ -33,6 +35,7 @@
 import org.springframework.security.authentication.AuthenticationTrustResolverImpl;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.Transient;
+import org.springframework.security.core.context.DeferredSecurityContext;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -136,6 +139,12 @@ public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHold
 		return context;
 	}
 
+	@Override
+	public DeferredSecurityContext loadDeferredContext(HttpServletRequest request) {
+		Supplier<SecurityContext> supplier = () -> readSecurityContextFromSession(request.getSession(false));
+		return new SupplierDeferredSecurityContext(supplier, this.securityContextHolderStrategy);
+	}
+
 	@Override
 	public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response) {
 		SaveContextOnUpdateOrErrorResponseWrapper responseWrapper = WebUtils.getNativeResponse(response,

web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java

@@ -21,6 +21,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.security.core.context.DeferredSecurityContext;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -76,17 +77,13 @@ public boolean containsContext(HttpServletRequest request) {
 
 	@Override
 	public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
-		return getContextOrEmpty(requestResponseHolder.getRequest());
+		return loadDeferredContext(requestResponseHolder.getRequest()).get();
 	}
 
 	@Override
-	public Supplier<SecurityContext> loadContext(HttpServletRequest request) {
-		return () -> getContextOrEmpty(request);
-	}
-
-	private SecurityContext getContextOrEmpty(HttpServletRequest request) {
-		SecurityContext context = getContext(request);
-		return (context != null) ? context : this.securityContextHolderStrategy.createEmptyContext();
+	public DeferredSecurityContext loadDeferredContext(HttpServletRequest request) {
+		Supplier<SecurityContext> supplier = () -> getContext(request);
+		return new SupplierDeferredSecurityContext(supplier, this.securityContextHolderStrategy);
 	}
 
 	private SecurityContext getContext(HttpServletRequest request) {

web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java

@@ -42,8 +42,8 @@
  * @author Marten Algesten
  * @author Rob Winch
  * @since 3.0
- * @deprecated Use {@link SecurityContextRepository#loadContext(HttpServletRequest)}
- * instead.
+ * @deprecated Use
+ * {@link SecurityContextRepository#loadDeferredContext(HttpServletRequest)} instead.
  */
 @Deprecated
 public abstract class SaveContextOnUpdateOrErrorResponseWrapper extends OnCommittedResponseWrapper {

web/src/main/java/org/springframework/security/web/context/SecurityContextHolderFilter.java

@@ -63,7 +63,7 @@ public SecurityContextHolderFilter(SecurityContextRepository securityContextRepo
 	@Override
 	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
 			throws ServletException, IOException {
-		Supplier<SecurityContext> deferredContext = this.securityContextRepository.loadContext(request);
+		Supplier<SecurityContext> deferredContext = this.securityContextRepository.loadDeferredContext(request);
 		try {
 			this.securityContextHolderStrategy.setDeferredContext(deferredContext);
 			filterChain.doFilter(request, response);

web/src/main/java/org/springframework/security/web/context/SecurityContextRepository.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,7 +21,9 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.springframework.security.core.context.DeferredSecurityContext;
 import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.util.function.SingletonSupplier;
 
 /**
@@ -61,7 +63,7 @@ public interface SecurityContextRepository {
 	 * the context should be loaded.
 	 * @return The security context which should be used for the current request, never
 	 * null.
-	 * @deprecated Use {@link #loadContext(HttpServletRequest)} instead.
+	 * @deprecated Use {@link #loadDeferredContext(HttpServletRequest)} instead.
 	 */
 	@Deprecated
 	SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
@@ -75,9 +77,27 @@ public interface SecurityContextRepository {
 	 * @return a {@link Supplier} that returns the {@link SecurityContext} which cannot be
 	 * null.
 	 * @since 5.7
+	 * @deprecated Use
+	 * {@link SecurityContextRepository#loadDeferredContext(HttpServletRequest)} instead
 	 */
+	@Deprecated
 	default Supplier<SecurityContext> loadContext(HttpServletRequest request) {
-		return SingletonSupplier.of(() -> loadContext(new HttpRequestResponseHolder(request, null)));
+		return loadDeferredContext(request);
+	}
+
+	/**
+	 * Defers loading the {@link SecurityContext} using the {@link HttpServletRequest}
+	 * until it is needed by the application.
+	 * @param request the {@link HttpServletRequest} to load the {@link SecurityContext}
+	 * from
+	 * @return a {@link DeferredSecurityContext} that returns the {@link SecurityContext}
+	 * which cannot be null
+	 * @since 5.8
+	 */
+	default DeferredSecurityContext loadDeferredContext(HttpServletRequest request) {
+		Supplier<SecurityContext> supplier = () -> loadContext(new HttpRequestResponseHolder(request, null));
+		return new SupplierDeferredSecurityContext(SingletonSupplier.of(supplier),
+				SecurityContextHolder.getContextHolderStrategy());
 	}
 
 	/**

web/src/main/java/org/springframework/security/web/context/SupplierDeferredSecurityContext.java

@@ -0,0 +1,77 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.web.context;
+
+import java.util.function.Supplier;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import org.springframework.core.log.LogMessage;
+import org.springframework.security.core.context.DeferredSecurityContext;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+
+/**
+ * @author Steve Riesenberg
+ * @since 5.8
+ */
+final class SupplierDeferredSecurityContext implements DeferredSecurityContext {
+
+	private static final Log logger = LogFactory.getLog(SupplierDeferredSecurityContext.class);
+
+	private final Supplier<SecurityContext> supplier;
+
+	private final SecurityContextHolderStrategy strategy;
+
+	private SecurityContext securityContext;
+
+	private boolean missingContext;
+
+	SupplierDeferredSecurityContext(Supplier<SecurityContext> supplier, SecurityContextHolderStrategy strategy) {
+		this.supplier = supplier;
+		this.strategy = strategy;
+	}
+
+	@Override
+	public SecurityContext get() {
+		init();
+		return this.securityContext;
+	}
+
+	@Override
+	public boolean isGenerated() {
+		init();
+		return this.missingContext;
+	}
+
+	private void init() {
+		if (this.securityContext != null) {
+			return;
+		}
+
+		this.securityContext = this.supplier.get();
+		this.missingContext = (this.securityContext == null);
+		if (this.missingContext) {
+			this.securityContext = this.strategy.createEmptyContext();
+			if (logger.isTraceEnabled()) {
+				logger.trace(LogMessage.format("Created %s", this.securityContext));
+			}
+		}
+	}
+
+}

web/src/test/java/org/springframework/security/web/context/SecurityContextHolderFilterTests.java

@@ -76,7 +76,8 @@ void cleanup() {
 	void doFilterThenSetsAndClearsSecurityContextHolder() throws Exception {
 		Authentication authentication = TestAuthentication.authenticatedUser();
 		SecurityContext expectedContext = new SecurityContextImpl(authentication);
-		given(this.repository.loadContext(this.requestArg.capture())).willReturn(() -> expectedContext);
+		given(this.repository.loadDeferredContext(this.requestArg.capture()))
+				.willReturn(new SupplierDeferredSecurityContext(() -> expectedContext, this.strategy));
 		FilterChain filterChain = (request, response) -> assertThat(SecurityContextHolder.getContext())
 				.isEqualTo(expectedContext);
 
@@ -89,7 +90,8 @@ void doFilterThenSetsAndClearsSecurityContextHolder() throws Exception {
 	void doFilterThenSetsAndClearsSecurityContextHolderStrategy() throws Exception {
 		Authentication authentication = TestAuthentication.authenticatedUser();
 		SecurityContext expectedContext = new SecurityContextImpl(authentication);
-		given(this.repository.loadContext(this.requestArg.capture())).willReturn(() -> expectedContext);
+		given(this.repository.loadDeferredContext(this.requestArg.capture()))
+				.willReturn(new SupplierDeferredSecurityContext(() -> expectedContext, this.strategy));
 		FilterChain filterChain = (request, response) -> {
 		};
 

web/src/test/java/org/springframework/security/web/context/SecurityContextRepositoryTests.java

@@ -16,13 +16,11 @@
 
 package org.springframework.security.web.context;
 
-import java.util.function.Supplier;
-
 import javax.servlet.http.HttpServletRequest;
 
 import org.junit.jupiter.api.Test;
 
-import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.DeferredSecurityContext;
 import org.springframework.security.core.context.SecurityContextImpl;
 
 import static org.mockito.ArgumentMatchers.any;
@@ -42,8 +40,8 @@ class SecurityContextRepositoryTests {
 	@Test
 	void loadContextHttpRequestResponseHolderWhenInvokeSupplierTwiceThenOnlyInvokesLoadContextOnce() {
 		given(this.repository.loadContext(any(HttpRequestResponseHolder.class))).willReturn(new SecurityContextImpl());
-		Supplier<SecurityContext> deferredContext = this.repository.loadContext(mock(HttpServletRequest.class));
-		verify(this.repository).loadContext(any(HttpServletRequest.class));
+		DeferredSecurityContext deferredContext = this.repository.loadDeferredContext(mock(HttpServletRequest.class));
+		verify(this.repository).loadDeferredContext(any(HttpServletRequest.class));
 		deferredContext.get();
 		verify(this.repository).loadContext(any(HttpRequestResponseHolder.class));
 		deferredContext.get();