From 33b492df54afd751b4fd382bc8af2db90317c135 Mon Sep 17 00:00:00 2001
From: Steve Riesenberg <sriesenberg@vmware.com>
Date: Mon, 17 Oct 2022 20:04:43 -0500
Subject: [PATCH] Default to DelegatingSecurityContextRepository

Closes gh-12023
Closes gh-12049
---
 .../SecurityContextConfigurer.java            |  5 +-
 .../config/TestDeferredSecurityContext.java   | 46 +++++++++++++++++++
 .../SecurityContextConfigurerTests.java       |  7 +--
 .../SessionManagementConfigurerTests.java     |  4 +-
 .../config/http/MiscHttpConfigTests.java      | 28 ++---------
 5 files changed, 60 insertions(+), 30 deletions(-)
 create mode 100644 config/src/test/java/org/springframework/security/config/TestDeferredSecurityContext.java

diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java
index 3ec482cde5..313eeb4131 100644
--- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java
@@ -21,7 +21,9 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.context.DelegatingSecurityContextRepository;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextHolderFilter;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.context.SecurityContextRepository;
@@ -96,7 +98,8 @@ public final class SecurityContextConfigurer<H extends HttpSecurityBuilder<H>>
 		SecurityContextRepository securityContextRepository = getBuilder()
 				.getSharedObject(SecurityContextRepository.class);
 		if (securityContextRepository == null) {
-			securityContextRepository = new HttpSessionSecurityContextRepository();
+			securityContextRepository = new DelegatingSecurityContextRepository(
+					new RequestAttributeSecurityContextRepository(), new HttpSessionSecurityContextRepository());
 		}
 		return securityContextRepository;
 	}
diff --git a/config/src/test/java/org/springframework/security/config/TestDeferredSecurityContext.java b/config/src/test/java/org/springframework/security/config/TestDeferredSecurityContext.java
new file mode 100644
index 0000000000..ff142f2f74
--- /dev/null
+++ b/config/src/test/java/org/springframework/security/config/TestDeferredSecurityContext.java
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.config;
+
+import org.springframework.security.core.context.DeferredSecurityContext;
+import org.springframework.security.core.context.SecurityContext;
+
+/**
+ * @author Steve Riesenberg
+ */
+public class TestDeferredSecurityContext implements DeferredSecurityContext {
+
+	private SecurityContext securityContext;
+
+	private boolean isGenerated;
+
+	public TestDeferredSecurityContext(SecurityContext securityContext, boolean isGenerated) {
+		this.securityContext = securityContext;
+		this.isGenerated = isGenerated;
+	}
+
+	@Override
+	public SecurityContext get() {
+		return this.securityContext;
+	}
+
+	@Override
+	public boolean isGenerated() {
+		return this.isGenerated;
+	}
+
+}
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java
index 9342ae1e3f..2ddde3d587 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.java
@@ -28,6 +28,7 @@ import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.TestDeferredSecurityContext;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.TestHttpSecurity;
@@ -83,10 +84,10 @@ public class SecurityContextConfigurerTests {
 	@Test
 	public void securityContextWhenInvokedTwiceThenUsesOriginalSecurityContextRepository() throws Exception {
 		this.spring.register(DuplicateDoesNotOverrideConfig.class).autowire();
-		given(DuplicateDoesNotOverrideConfig.SCR.loadContext(any(HttpServletRequest.class)))
-				.willReturn(() -> mock(SecurityContext.class));
+		given(DuplicateDoesNotOverrideConfig.SCR.loadDeferredContext(any(HttpServletRequest.class)))
+				.willReturn(new TestDeferredSecurityContext(mock(SecurityContext.class), false));
 		this.mvc.perform(get("/"));
-		verify(DuplicateDoesNotOverrideConfig.SCR).loadContext(any(HttpServletRequest.class));
+		verify(DuplicateDoesNotOverrideConfig.SCR).loadDeferredContext(any(HttpServletRequest.class));
 	}
 
 	// SEC-2932
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java
index 6a3a39e24d..70c3f9999e 100644
--- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java
+++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java
@@ -27,6 +27,7 @@ import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.mock.web.MockHttpSession;
 import org.springframework.security.authentication.AuthenticationTrustResolver;
+import org.springframework.security.config.TestDeferredSecurityContext;
 import org.springframework.security.config.annotation.ObjectPostProcessor;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@@ -103,7 +104,8 @@ public class SessionManagementConfigurerTests {
 	public void sessionManagementWhenConfiguredThenDoesNotOverrideSecurityContextRepository() throws Exception {
 		SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO = mock(SecurityContextRepository.class);
 		given(SessionManagementSecurityContextRepositoryConfig.SECURITY_CONTEXT_REPO
-				.loadContext(any(HttpServletRequest.class))).willReturn(() -> mock(SecurityContext.class));
+				.loadDeferredContext(any(HttpServletRequest.class)))
+						.willReturn(new TestDeferredSecurityContext(mock(SecurityContext.class), false));
 		this.spring.register(SessionManagementSecurityContextRepositoryConfig.class).autowire();
 		this.mvc.perform(get("/"));
 	}
diff --git a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
index b1981ad820..c8b36a0b01 100644
--- a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
+++ b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java
@@ -68,6 +68,7 @@ import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.InsufficientAuthenticationException;
 import org.springframework.security.authentication.TestingAuthenticationToken;
 import org.springframework.security.authentication.jaas.AuthorityGranter;
+import org.springframework.security.config.TestDeferredSecurityContext;
 import org.springframework.security.config.test.SpringTestContext;
 import org.springframework.security.config.test.SpringTestContextExtension;
 import org.springframework.security.core.Authentication;
@@ -75,7 +76,6 @@ import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.security.core.authority.AuthorityUtils;
-import org.springframework.security.core.context.DeferredSecurityContext;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
@@ -473,7 +473,8 @@ public class MiscHttpConfigTests {
 		this.spring.configLocations(xml("SecurityContextRepository")).autowire();
 		SecurityContextRepository repository = this.spring.getContext().getBean(SecurityContextRepository.class);
 		SecurityContext context = new SecurityContextImpl(new TestingAuthenticationToken("user", "password"));
-		given(repository.loadContext(any(HttpServletRequest.class))).willReturn(() -> context);
+		given(repository.loadDeferredContext(any(HttpServletRequest.class)))
+				.willReturn(new TestDeferredSecurityContext(context, false));
 		// @formatter:off
 		MvcResult result = this.mvc.perform(get("/protected").with(userCredentials()))
 				.andExpect(status().isOk())
@@ -1039,27 +1040,4 @@ public class MiscHttpConfigTests {
 
 	}
 
-	static class TestDeferredSecurityContext implements DeferredSecurityContext {
-
-		private SecurityContext securityContext;
-
-		private boolean isGenerated;
-
-		TestDeferredSecurityContext(SecurityContext securityContext, boolean isGenerated) {
-			this.securityContext = securityContext;
-			this.isGenerated = isGenerated;
-		}
-
-		@Override
-		public SecurityContext get() {
-			return this.securityContext;
-		}
-
-		@Override
-		public boolean isGenerated() {
-			return this.isGenerated;
-		}
-
-	}
-
 }