Skip to content

Commit e79b6b3

Browse files
committed
Default SecurityContextHolderFilter
Closes gh-11110
1 parent 9a9a43a commit e79b6b3

File tree

6 files changed

+12
-13
lines changed

6 files changed

+12
-13
lines changed

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,7 +64,7 @@
6464
public final class SecurityContextConfigurer<H extends HttpSecurityBuilder<H>>
6565
extends AbstractHttpConfigurer<SecurityContextConfigurer<H>, H> {
6666

67-
private boolean requireExplicitSave;
67+
private boolean requireExplicitSave = true;
6868

6969
/**
7070
* Creates a new instance

config/src/test/java/org/springframework/security/config/annotation/web/builders/HttpSecurityAddFilterTest.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@
3939
import org.springframework.security.web.access.ExceptionTranslationFilter;
4040
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
4141
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
42-
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
42+
import org.springframework.security.web.context.SecurityContextHolderFilter;
4343
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
4444
import org.springframework.security.web.header.HeaderWriterFilter;
4545

@@ -95,7 +95,7 @@ public void addFilterAtWhenAtCustomFilterThenOrderCorrect() {
9595
this.spring.register(MyOtherFilterRelativeToMyFilterAtConfig.class).autowire();
9696

9797
assertThatFilters().containsSubsequence(WebAsyncManagerIntegrationFilter.class, MyFilter.class,
98-
MyOtherFilter.class, SecurityContextPersistenceFilter.class);
98+
MyOtherFilter.class, SecurityContextHolderFilter.class);
9999
}
100100

101101
@Test

config/src/test/java/org/springframework/security/config/annotation/web/configuration/SecurityReactorContextConfigurationResourceServerTests.java

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -90,6 +90,7 @@ static class BearerFilterConfig extends WebSecurityConfigurerAdapter {
9090

9191
@Override
9292
protected void configure(HttpSecurity http) throws Exception {
93+
http.securityContext().requireExplicitSave(false);
9394
}
9495

9596
@Bean

config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@
4949
import org.springframework.security.web.authentication.AnonymousAuthenticationFilter;
5050
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
5151
import org.springframework.security.web.authentication.logout.LogoutFilter;
52-
import org.springframework.security.web.context.SecurityContextPersistenceFilter;
52+
import org.springframework.security.web.context.SecurityContextHolderFilter;
5353
import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
5454
import org.springframework.security.web.csrf.CsrfFilter;
5555
import org.springframework.security.web.csrf.CsrfToken;
@@ -105,7 +105,7 @@ public void filterChainProxyBuilderIgnoringResources() {
105105
List<? extends Class<? extends Filter>> classes = secondFilter.getFilters().stream().map(Filter::getClass)
106106
.collect(Collectors.toList());
107107
assertThat(classes.contains(WebAsyncManagerIntegrationFilter.class)).isTrue();
108-
assertThat(classes.contains(SecurityContextPersistenceFilter.class)).isTrue();
108+
assertThat(classes.contains(SecurityContextHolderFilter.class)).isTrue();
109109
assertThat(classes.contains(HeaderWriterFilter.class)).isTrue();
110110
assertThat(classes.contains(LogoutFilter.class)).isTrue();
111111
assertThat(classes.contains(CsrfFilter.class)).isTrue();

config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,7 @@
2020
import java.util.stream.Collectors;
2121

2222
import jakarta.servlet.Filter;
23+
import jakarta.servlet.http.HttpServletRequest;
2324
import jakarta.servlet.http.HttpSession;
2425
import org.junit.jupiter.api.Test;
2526
import org.junit.jupiter.api.extension.ExtendWith;
@@ -74,16 +75,16 @@ public class SecurityContextConfigurerTests {
7475
@Test
7576
public void configureWhenRegisteringObjectPostProcessorThenInvokedOnSecurityContextPersistenceFilter() {
7677
this.spring.register(ObjectPostProcessorConfig.class).autowire();
77-
verify(ObjectPostProcessorConfig.objectPostProcessor).postProcess(any(SecurityContextPersistenceFilter.class));
78+
verify(ObjectPostProcessorConfig.objectPostProcessor).postProcess(any(SecurityContextHolderFilter.class));
7879
}
7980

8081
@Test
8182
public void securityContextWhenInvokedTwiceThenUsesOriginalSecurityContextRepository() throws Exception {
8283
this.spring.register(DuplicateDoesNotOverrideConfig.class).autowire();
83-
given(DuplicateDoesNotOverrideConfig.SCR.loadContext(any(HttpRequestResponseHolder.class)))
84-
.willReturn(mock(SecurityContext.class));
84+
given(DuplicateDoesNotOverrideConfig.SCR.loadContext(any(HttpServletRequest.class)))
85+
.willReturn(() -> mock(SecurityContext.class));
8586
this.mvc.perform(get("/"));
86-
verify(DuplicateDoesNotOverrideConfig.SCR).loadContext(any(HttpRequestResponseHolder.class));
87+
verify(DuplicateDoesNotOverrideConfig.SCR).loadContext(any(HttpServletRequest.class));
8788
}
8889

8990
// SEC-2932

config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,6 @@
4242
import org.springframework.security.web.authentication.session.CompositeSessionAuthenticationStrategy;
4343
import org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy;
4444
import org.springframework.security.web.authentication.session.RegisterSessionAuthenticationStrategy;
45-
import org.springframework.security.web.context.HttpRequestResponseHolder;
4645
import org.springframework.security.web.context.SecurityContextRepository;
4746
import org.springframework.security.web.savedrequest.RequestCache;
4847
import org.springframework.security.web.session.ConcurrentSessionFilter;
@@ -101,11 +100,9 @@ public void sessionManagementWhenConfiguredThenDoesNotOverrideRequestCache() thr
101100
public void sessionManagementWhenConfiguredThenDoesNotOverrideSecurityContextRepository() throws Exception {
102101
SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO = mock(SecurityContextRepository.class);
103102
given(SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO
104-
.loadContext(any(HttpRequestResponseHolder.class))).willReturn(mock(SecurityContext.class));
103+
.loadContext(any(HttpServletRequest.class))).willReturn(() -> mock(SecurityContext.class));
105104
this.spring.register(SessionManagementSecurityContextRepositoryConfig.class).autowire();
106105
this.mvc.perform(get("/"));
107-
verify(SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO)
108-
.saveContext(any(SecurityContext.class), any(HttpServletRequest.class), any(HttpServletResponse.class));
109106
}
110107

111108
@Test

0 commit comments

Comments
 (0)