From 84cca81edf78a0f0c46aaf8d4834cd5f41de8143 Mon Sep 17 00:00:00 2001
From: Marcus Da Coregio <marcusdacoregio@gmail.com>
Date: Tue, 7 Mar 2023 13:27:18 -0300
Subject: [PATCH] Use HttpSessionSecurityContextRepository by default in
 SwitchUserFilter

Closes gh-12834
---
 .../web/authentication/switchuser/SwitchUserFilter.java     | 3 ++-
 .../authentication/switchuser/SwitchUserFilterTests.java    | 6 +++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java b/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java
index 310bf0c516..2ae4255448 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilter.java
@@ -58,6 +58,7 @@ import org.springframework.security.web.authentication.AuthenticationSuccessHand
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.util.UrlUtils;
@@ -144,7 +145,7 @@ public class SwitchUserFilter extends GenericFilterBean implements ApplicationEv
 
 	private AuthenticationFailureHandler failureHandler;
 
-	private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository();
+	private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();
 
 	@Override
 	public void afterPropertiesSet() {
diff --git a/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java
index 786bbc3054..cd18dd8b04 100644
--- a/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java
+++ b/web/src/test/java/org/springframework/security/web/authentication/switchuser/SwitchUserFilterTests.java
@@ -47,7 +47,7 @@ import org.springframework.security.core.userdetails.UsernameNotFoundException;
 import org.springframework.security.util.FieldUtils;
 import org.springframework.security.web.DefaultRedirectStrategy;
 import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
-import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.util.matcher.AnyRequestMatcher;
 import org.springframework.test.util.ReflectionTestUtils;
@@ -491,10 +491,10 @@ public class SwitchUserFilterTests {
 	}
 
 	@Test
-	void filterWhenDefaultSecurityContextRepositoryThenRequestAttributeRepository() {
+	void filterWhenDefaultSecurityContextRepositoryThenHttpSessionRepository() {
 		SwitchUserFilter switchUserFilter = new SwitchUserFilter();
 		assertThat(ReflectionTestUtils.getField(switchUserFilter, "securityContextRepository"))
-				.isInstanceOf(RequestAttributeSecurityContextRepository.class);
+				.isInstanceOf(HttpSessionSecurityContextRepository.class);
 	}
 
 	@Test