From 4479cefade65333c1a60904a67d993b69b277206 Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Fri, 30 Sep 2022 15:06:29 -0500 Subject: [PATCH] Default Require Explicit Session Management = true Closes gh-11763 --- .../SessionManagementConfigurer.java | 36 +++++++++++++++++-- .../config/http/HttpConfigurationBuilder.java | 7 ++-- .../web/configurers/DefaultFiltersTests.java | 2 -- .../NamespaceSessionManagementTests.java | 22 +++++++++--- .../SessionManagementConfigurerTests.java | 6 +++- .../http/DeferHttpSessionXmlConfigTests.java | 2 ++ .../config/http/MiscHttpConfigTests.java | 4 --- .../web/session/SessionFixationDslTests.kt | 3 ++ .../http/DeferHttpSessionTests-Explicit.xml | 1 - ...-ConcurrencyControlCustomLogoutHandler.xml | 3 +- ...ConcurrencyControlSessionRegistryAlias.xml | 3 +- ...s-ConcurrencyControlSessionRegistryRef.xml | 3 +- .../SessionManagementConfigTests-Sec1208.xml | 3 +- ...Tests-SessionAuthenticationStrategyRef.xml | 4 ++- ...essionFixationProtectionMigrateSession.xml | 4 ++- .../showcase/login/AuthenticationTests.java | 25 ++++++++++--- ...tractPreAuthenticatedProcessingFilter.java | 4 +-- .../RememberMeAuthenticationFilter.java | 4 +-- ...PreAuthenticatedProcessingFilterTests.java | 3 -- .../RememberMeAuthenticationFilterTests.java | 5 --- 20 files changed, 105 insertions(+), 39 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java index 952136c1c6a..e446719d061 100644 --- a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java +++ b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurer.java @@ -18,7 +18,9 @@ import java.util.ArrayList; import java.util.Arrays; +import java.util.HashSet; import java.util.List; +import java.util.Set; import jakarta.servlet.http.HttpServletResponse; import jakarta.servlet.http.HttpSession; @@ -135,7 +137,9 @@ public final class SessionManagementConfigurer> private AuthenticationFailureHandler sessionAuthenticationFailureHandler; - private boolean requireExplicitAuthenticationStrategy; + private Set propertiesThatRequireImplicitAuthentication = new HashSet<>(); + + private Boolean requireExplicitAuthenticationStrategy; /** * Creates a new instance @@ -154,6 +158,7 @@ public SessionManagementConfigurer() { */ public SessionManagementConfigurer invalidSessionUrl(String invalidSessionUrl) { this.invalidSessionUrl = invalidSessionUrl; + this.propertiesThatRequireImplicitAuthentication.add("invalidSessionUrl = " + invalidSessionUrl); return this; } @@ -181,6 +186,7 @@ public SessionManagementConfigurer requireExplicitAuthenticationStrategy( public SessionManagementConfigurer invalidSessionStrategy(InvalidSessionStrategy invalidSessionStrategy) { Assert.notNull(invalidSessionStrategy, "invalidSessionStrategy"); this.invalidSessionStrategy = invalidSessionStrategy; + this.propertiesThatRequireImplicitAuthentication.add("invalidSessionStrategy = " + invalidSessionStrategy); return this; } @@ -195,6 +201,8 @@ public SessionManagementConfigurer invalidSessionStrategy(InvalidSessionStrat */ public SessionManagementConfigurer sessionAuthenticationErrorUrl(String sessionAuthenticationErrorUrl) { this.sessionAuthenticationErrorUrl = sessionAuthenticationErrorUrl; + this.propertiesThatRequireImplicitAuthentication + .add("sessionAuthenticationErrorUrl = " + sessionAuthenticationErrorUrl); return this; } @@ -210,6 +218,8 @@ public SessionManagementConfigurer sessionAuthenticationErrorUrl(String sessi public SessionManagementConfigurer sessionAuthenticationFailureHandler( AuthenticationFailureHandler sessionAuthenticationFailureHandler) { this.sessionAuthenticationFailureHandler = sessionAuthenticationFailureHandler; + this.propertiesThatRequireImplicitAuthentication + .add("sessionAuthenticationFailureHandler = " + sessionAuthenticationFailureHandler); return this; } @@ -245,6 +255,7 @@ public SessionManagementConfigurer enableSessionUrlRewriting(boolean enableSe public SessionManagementConfigurer sessionCreationPolicy(SessionCreationPolicy sessionCreationPolicy) { Assert.notNull(sessionCreationPolicy, "sessionCreationPolicy cannot be null"); this.sessionPolicy = sessionCreationPolicy; + this.propertiesThatRequireImplicitAuthentication.add("sessionCreationPolicy = " + sessionCreationPolicy); return this; } @@ -266,6 +277,8 @@ public SessionManagementConfigurer sessionCreationPolicy(SessionCreationPolic public SessionManagementConfigurer sessionAuthenticationStrategy( SessionAuthenticationStrategy sessionAuthenticationStrategy) { this.providedSessionAuthenticationStrategy = sessionAuthenticationStrategy; + this.propertiesThatRequireImplicitAuthentication + .add("sessionAuthenticationStrategy = " + sessionAuthenticationStrategy); return this; } @@ -309,6 +322,7 @@ public SessionManagementConfigurer sessionFixation( */ public ConcurrencyControlConfigurer maximumSessions(int maximumSessions) { this.maximumSessions = maximumSessions; + this.propertiesThatRequireImplicitAuthentication.add("maximumSessions = " + maximumSessions); return new ConcurrencyControlConfigurer(); } @@ -384,8 +398,26 @@ public void configure(H http) { } } + private boolean shouldRequireExplicitAuthenticationStrategy() { + boolean defaultRequireExplicitAuthenticationStrategy = this.propertiesThatRequireImplicitAuthentication + .isEmpty(); + if (this.requireExplicitAuthenticationStrategy == null) { + // explicit is not set, use default + return defaultRequireExplicitAuthenticationStrategy; + } + if (this.requireExplicitAuthenticationStrategy && !defaultRequireExplicitAuthenticationStrategy) { + // explicit disabled and implicit requires it + throw new IllegalStateException( + "Invalid configuration that explicitly sets requireExplicitAuthenticationStrategy to " + + this.requireExplicitAuthenticationStrategy + + " but implicitly requires it due to the following properties being set: " + + this.propertiesThatRequireImplicitAuthentication); + } + return this.requireExplicitAuthenticationStrategy; + } + private SessionManagementFilter createSessionManagementFilter(H http) { - if (this.requireExplicitAuthenticationStrategy) { + if (shouldRequireExplicitAuthenticationStrategy()) { return null; } SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class); diff --git a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java index c38c4c43eb9..1f642ea1eac 100644 --- a/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java +++ b/config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java @@ -539,9 +539,10 @@ else if (StringUtils.hasText(invalidSessionStrategyRef)) { sessionMgmtFilter.addPropertyReference("invalidSessionStrategy", invalidSessionStrategyRef); } sessionMgmtFilter.addConstructorArgReference(sessionAuthStratRef); - boolean registerSessionMgmtFilter = (sessionMgmtElt == null - || !"true".equals(sessionMgmtElt.getAttribute(ATT_AUTHENTICATION_STRATEGY_EXPLICIT_INVOCATION))); - if (registerSessionMgmtFilter) { + boolean registerSessionMgmtFilter = (sessionMgmtElt != null + && "false".equals(sessionMgmtElt.getAttribute(ATT_AUTHENTICATION_STRATEGY_EXPLICIT_INVOCATION))); + if (registerSessionMgmtFilter || StringUtils.hasText(errorUrl) || StringUtils.hasText(invalidSessionUrl) + || StringUtils.hasText(invalidSessionStrategyRef)) { this.sfpf = (RootBeanDefinition) sessionMgmtFilter.getBeanDefinition(); } this.sessionStrategyRef = new RuntimeBeanReference(sessionAuthStratRef); diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java index 95dcbac127f..fe6401d91b3 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/DefaultFiltersTests.java @@ -58,7 +58,6 @@ import org.springframework.security.web.header.HeaderWriterFilter; import org.springframework.security.web.savedrequest.RequestCacheAwareFilter; import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter; -import org.springframework.security.web.session.SessionManagementFilter; import org.springframework.security.web.util.matcher.AnyRequestMatcher; import static org.assertj.core.api.Assertions.assertThat; @@ -112,7 +111,6 @@ public void filterChainProxyBuilderIgnoringResources() { assertThat(classes.contains(RequestCacheAwareFilter.class)).isTrue(); assertThat(classes.contains(SecurityContextHolderAwareRequestFilter.class)).isTrue(); assertThat(classes.contains(AnonymousAuthenticationFilter.class)).isTrue(); - assertThat(classes.contains(SessionManagementFilter.class)).isTrue(); assertThat(classes.contains(ExceptionTranslationFilter.class)).isTrue(); assertThat(classes.contains(FilterSecurityInterceptor.class)).isTrue(); } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.java index 9396a2a072d..313835a6b05 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/NamespaceSessionManagementTests.java @@ -258,6 +258,17 @@ private static SessionResultMatcher session() { @EnableWebSecurity static class SessionManagementConfig extends WebSecurityConfigurerAdapter { + @Override + protected void configure(HttpSecurity http) throws Exception { + // @formatter:off + super.configure(http); + http + .sessionManagement((sessions) -> sessions + .requireExplicitAuthenticationStrategy(false) + ); + // @formatter:on + } + } @Configuration @@ -364,6 +375,7 @@ protected void configure(HttpSecurity http) throws Exception { // @formatter:off http .sessionManagement() + .requireExplicitAuthenticationStrategy(false) .and() .httpBasic(); // @formatter:on @@ -379,8 +391,9 @@ static class SFPPostProcessedConfig extends WebSecurityConfigurerAdapter { protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .sessionManagement() - .and() + .sessionManagement((sessions) -> sessions + .requireExplicitAuthenticationStrategy(false) + ) .httpBasic(); // @formatter:on } @@ -400,9 +413,10 @@ static class SFPNewSessionSessionManagementConfig extends WebSecurityConfigurerA protected void configure(HttpSecurity http) throws Exception { // @formatter:off http - .sessionManagement() + .sessionManagement((sessions) -> sessions .sessionFixation().newSession() - .and() + .requireExplicitAuthenticationStrategy(false) + ) .httpBasic(); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java index b700c453172..133b47d0ba3 100644 --- a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java +++ b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/SessionManagementConfigurerTests.java @@ -451,6 +451,7 @@ protected void configure(HttpSecurity http) throws Exception { http .sessionManagement((sessionManagement) -> sessionManagement + .requireExplicitAuthenticationStrategy(false) .sessionFixation((sessionFixation) -> sessionFixation.newSession() ) @@ -583,9 +584,12 @@ static class SharedTrustResolverConfig extends WebSecurityConfigurerAdapter { static AuthenticationTrustResolver TR; @Override - protected void configure(HttpSecurity http) { + protected void configure(HttpSecurity http) throws Exception { // @formatter:off http + .sessionManagement((sessions) -> sessions + .requireExplicitAuthenticationStrategy(false) + ) .setSharedObject(AuthenticationTrustResolver.class, TR); // @formatter:on } diff --git a/config/src/test/java/org/springframework/security/config/http/DeferHttpSessionXmlConfigTests.java b/config/src/test/java/org/springframework/security/config/http/DeferHttpSessionXmlConfigTests.java index f530dfa73a6..b664d37088a 100644 --- a/config/src/test/java/org/springframework/security/config/http/DeferHttpSessionXmlConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/http/DeferHttpSessionXmlConfigTests.java @@ -60,6 +60,8 @@ public void explicitDeferHttpSession() throws Exception { this.springSecurityFilterChain.doFilter(mockRequest, response, chain); + verify(mockRequest, never()).isRequestedSessionIdValid(); + verify(mockRequest, never()).changeSessionId(); verify(mockRequest, never()).getSession(anyBoolean()); verify(mockRequest, never()).getSession(); } diff --git a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java index dfbeee75a56..c1109f88ef9 100644 --- a/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java +++ b/config/src/test/java/org/springframework/security/config/http/MiscHttpConfigTests.java @@ -106,7 +106,6 @@ import org.springframework.security.web.savedrequest.RequestCacheAwareFilter; import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter; import org.springframework.security.web.session.DisableEncodeUrlFilter; -import org.springframework.security.web.session.SessionManagementFilter; import org.springframework.test.web.servlet.MockMvc; import org.springframework.test.web.servlet.MvcResult; import org.springframework.test.web.servlet.request.MockHttpServletRequestBuilder; @@ -479,8 +478,6 @@ public void getWhenAuthenticatingThenConsultsCustomSecurityContextRepository() t .andReturn(); // @formatter:on assertThat(result.getRequest().getSession(false)).isNotNull(); - verify(repository, atLeastOnce()).saveContext(any(SecurityContext.class), any(HttpServletRequest.class), - any(HttpServletResponse.class)); } @Test @@ -851,7 +848,6 @@ private void assertThatFiltersMatchExpectedAutoConfigList(String url) { assertThat(filters.next()).isInstanceOf(RequestCacheAwareFilter.class); assertThat(filters.next()).isInstanceOf(SecurityContextHolderAwareRequestFilter.class); assertThat(filters.next()).isInstanceOf(AnonymousAuthenticationFilter.class); - assertThat(filters.next()).isInstanceOf(SessionManagementFilter.class); assertThat(filters.next()).isInstanceOf(ExceptionTranslationFilter.class); assertThat(filters.next()).isInstanceOf(FilterSecurityInterceptor.class) .hasFieldOrPropertyWithValue("observeOncePerRequest", false); diff --git a/config/src/test/kotlin/org/springframework/security/config/annotation/web/session/SessionFixationDslTests.kt b/config/src/test/kotlin/org/springframework/security/config/annotation/web/session/SessionFixationDslTests.kt index d0d468e931b..46657d810fe 100644 --- a/config/src/test/kotlin/org/springframework/security/config/annotation/web/session/SessionFixationDslTests.kt +++ b/config/src/test/kotlin/org/springframework/security/config/annotation/web/session/SessionFixationDslTests.kt @@ -75,6 +75,7 @@ class SessionFixationDslTests { open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { http { sessionManagement { + requireExplicitAuthenticationStrategy = false sessionFixation { newSession() } @@ -111,6 +112,7 @@ class SessionFixationDslTests { open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { http { sessionManagement { + requireExplicitAuthenticationStrategy = false sessionFixation { migrateSession() } @@ -147,6 +149,7 @@ class SessionFixationDslTests { open fun securityFilterChain(http: HttpSecurity): SecurityFilterChain { http { sessionManagement { + requireExplicitAuthenticationStrategy = false sessionFixation { changeSessionId() } diff --git a/config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml b/config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml index 3852a53c3a3..121cd50219f 100644 --- a/config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml +++ b/config/src/test/resources/org/springframework/security/config/http/DeferHttpSessionTests-Explicit.xml @@ -29,7 +29,6 @@ - diff --git a/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlCustomLogoutHandler.xml b/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlCustomLogoutHandler.xml index f53146be588..391d7bc6e30 100644 --- a/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlCustomLogoutHandler.xml +++ b/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlCustomLogoutHandler.xml @@ -25,7 +25,8 @@ https://www.springframework.org/schema/beans/spring-beans.xsd"> - + diff --git a/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlSessionRegistryAlias.xml b/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlSessionRegistryAlias.xml index b287674c2b3..71df204ab17 100644 --- a/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlSessionRegistryAlias.xml +++ b/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlSessionRegistryAlias.xml @@ -25,7 +25,8 @@ https://www.springframework.org/schema/beans/spring-beans.xsd"> - + diff --git a/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlSessionRegistryRef.xml b/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlSessionRegistryRef.xml index a5996afb9cd..e18e911d78d 100644 --- a/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlSessionRegistryRef.xml +++ b/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-ConcurrencyControlSessionRegistryRef.xml @@ -25,7 +25,8 @@ https://www.springframework.org/schema/beans/spring-beans.xsd"> - + diff --git a/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-Sec1208.xml b/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-Sec1208.xml index 9b9f50ce16a..c4608cde009 100644 --- a/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-Sec1208.xml +++ b/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-Sec1208.xml @@ -26,7 +26,8 @@ - + diff --git a/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-SessionAuthenticationStrategyRef.xml b/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-SessionAuthenticationStrategyRef.xml index 52331611f37..d2da1d052a2 100644 --- a/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-SessionAuthenticationStrategyRef.xml +++ b/config/src/test/resources/org/springframework/security/config/http/SessionManagementConfigTests-SessionAuthenticationStrategyRef.xml @@ -26,7 +26,9 @@ - + - + requests + .anyRequest().authenticated() + ) + .sessionManagement((sessions) -> sessions + .requireExplicitAuthenticationStrategy(false) + ) + .httpBasic(withDefaults()) + .formLogin(withDefaults()); + // @formatter:on + return http.build(); + } + + @Bean + UserDetailsService userDetailsService() { // @formatter:off UserDetails user = User.withDefaultPasswordEncoder().username("user").password("password").roles("USER").build(); return new InMemoryUserDetailsManager(user); diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java index 8f15f704227..d2e24a28b08 100755 --- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java @@ -41,7 +41,7 @@ import org.springframework.security.web.authentication.AuthenticationFailureHandler; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.WebAuthenticationDetailsSource; -import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; +import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.util.matcher.RequestMatcher; import org.springframework.util.Assert; @@ -110,7 +110,7 @@ public abstract class AbstractPreAuthenticatedProcessingFilter extends GenericFi private RequestMatcher requiresAuthenticationRequestMatcher = new PreAuthenticatedProcessingRequestMatcher(); - private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository(); + private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository(); /** * Check whether all required properties have been set. diff --git a/web/src/main/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilter.java b/web/src/main/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilter.java index b74f7a44458..147c325b3ba 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilter.java @@ -37,7 +37,7 @@ import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.RememberMeServices; -import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; +import org.springframework.security.web.context.HttpSessionSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.util.Assert; import org.springframework.web.filter.GenericFilterBean; @@ -79,7 +79,7 @@ public class RememberMeAuthenticationFilter extends GenericFilterBean implements private RememberMeServices rememberMeServices; - private SecurityContextRepository securityContextRepository = new RequestAttributeSecurityContextRepository(); + private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository(); public RememberMeAuthenticationFilter(AuthenticationManager authenticationManager, RememberMeServices rememberMeServices) { diff --git a/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java index d594e3aba4d..4b5482db84d 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilterTests.java @@ -40,7 +40,6 @@ import org.springframework.security.web.WebAttributes; import org.springframework.security.web.authentication.ForwardAuthenticationFailureHandler; import org.springframework.security.web.authentication.ForwardAuthenticationSuccessHandler; -import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; @@ -212,8 +211,6 @@ public void callsAuthenticationSuccessHandlerOnSuccessfulAuthentication() throws filter.doFilter(request, response, chain); verify(am).authenticate(any(PreAuthenticatedAuthenticationToken.class)); assertThat(response.getForwardedUrl()).isEqualTo("/forwardUrl"); - assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) - .isNotNull(); } @Test diff --git a/web/src/test/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilterTests.java b/web/src/test/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilterTests.java index 1ce3d571398..664e2e1849c 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilterTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/rememberme/RememberMeAuthenticationFilterTests.java @@ -35,7 +35,6 @@ import org.springframework.security.web.authentication.NullRememberMeServices; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; -import org.springframework.security.web.context.RequestAttributeSecurityContextRepository; import org.springframework.security.web.context.SecurityContextRepository; import static org.assertj.core.api.Assertions.assertThat; @@ -110,8 +109,6 @@ public void testOperationWhenNoAuthenticationInContextHolder() throws Exception filter.doFilter(request, new MockHttpServletResponse(), fc); // Ensure filter setup with our remembered authentication object assertThat(SecurityContextHolder.getContext().getAuthentication()).isSameAs(this.remembered); - assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) - .isNotNull(); verify(fc).doFilter(any(HttpServletRequest.class), any(HttpServletResponse.class)); } @@ -152,8 +149,6 @@ public void authenticationSuccessHandlerIsInvokedOnSuccessfulAuthenticationIfSet request.setRequestURI("x"); filter.doFilter(request, response, fc); assertThat(response.getRedirectedUrl()).isEqualTo("/target"); - assertThat(request.getAttribute(RequestAttributeSecurityContextRepository.DEFAULT_REQUEST_ATTR_NAME)) - .isNotNull(); // Should return after success handler is invoked, so chain should not proceed verifyNoMoreInteractions(fc); }