Pick up SecurityContextHolderStrategy Bean

config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -37,6 +37,8 @@
 import org.springframework.security.config.annotation.authentication.configurers.userdetails.DaoAuthenticationConfigurer;
 import org.springframework.security.config.annotation.authentication.configurers.userdetails.UserDetailsAwareConfigurer;
 import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.util.Assert;
 
@@ -55,6 +57,9 @@ public class AuthenticationManagerBuilder
 
 	private final Log logger = LogFactory.getLog(getClass());
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
 	private AuthenticationManager parentAuthenticationManager;
 
 	private List<AuthenticationProvider> authenticationProviders = new ArrayList<>();
@@ -73,6 +78,11 @@ public AuthenticationManagerBuilder(ObjectPostProcessor<Object> objectPostProces
 		super(objectPostProcessor, true);
 	}
 
+	public AuthenticationManagerBuilder securityContextHolderStrategy(SecurityContextHolderStrategy strategy) {
+		this.securityContextHolderStrategy = strategy;
+		return this;
+	}
+
 	/**
 	 * Allows providing a parent {@link AuthenticationManager} that will be tried if this
 	 * {@link AuthenticationManager} was unable to attempt to authenticate the provided
@@ -129,7 +139,8 @@ public AuthenticationManagerBuilder eraseCredentials(boolean eraseCredentials) {
 	 */
 	public InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> inMemoryAuthentication()
 			throws Exception {
-		return apply(new InMemoryUserDetailsManagerConfigurer<>());
+		return apply(new InMemoryUserDetailsManagerConfigurer<>())
+				.securityContextHolderStrategy(this.securityContextHolderStrategy);
 	}
 
 	/**
@@ -157,7 +168,8 @@ public InMemoryUserDetailsManagerConfigurer<AuthenticationManagerBuilder> inMemo
 	 * @throws Exception if an error occurs when adding the JDBC authentication
 	 */
 	public JdbcUserDetailsManagerConfigurer<AuthenticationManagerBuilder> jdbcAuthentication() throws Exception {
-		return apply(new JdbcUserDetailsManagerConfigurer<>());
+		return apply(new JdbcUserDetailsManagerConfigurer<>())
+				.securityContextHolderStrategy(this.securityContextHolderStrategy);
 	}
 
 	/**

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/provisioning/InMemoryUserDetailsManagerConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,6 +19,7 @@
 import java.util.ArrayList;
 
 import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.provisioning.InMemoryUserDetailsManager;
 
 /**
@@ -41,4 +42,11 @@ public InMemoryUserDetailsManagerConfigurer() {
 		super(new InMemoryUserDetailsManager(new ArrayList<>()));
 	}
 
+	public InMemoryUserDetailsManagerConfigurer<B> securityContextHolderStrategy(
+			SecurityContextHolderStrategy strategy) {
+		InMemoryUserDetailsManager userDetailsService = (InMemoryUserDetailsManager) getUserDetailsService();
+		userDetailsService.setSecurityContextHolderStrategy(strategy);
+		return this;
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/authentication/configurers/provisioning/JdbcUserDetailsManagerConfigurer.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -27,6 +27,7 @@
 import org.springframework.jdbc.datasource.init.DatabasePopulator;
 import org.springframework.jdbc.datasource.init.ResourceDatabasePopulator;
 import org.springframework.security.config.annotation.authentication.ProviderManagerBuilder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.UserCache;
 import org.springframework.security.provisioning.JdbcUserDetailsManager;
 
@@ -59,6 +60,12 @@ public JdbcUserDetailsManagerConfigurer() {
 		this(new JdbcUserDetailsManager());
 	}
 
+	public JdbcUserDetailsManagerConfigurer<B> securityContextHolderStrategy(SecurityContextHolderStrategy strategy) {
+		JdbcUserDetailsManager userDetailsService = getUserDetailsService();
+		userDetailsService.setSecurityContextHolderStrategy(strategy);
+		return this;
+	}
+
 	/**
 	 * Populates the {@link DataSource} to be used. This is the only required attribute.
 	 * @param dataSource the {@link DataSource} to be used. Cannot be null.

config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -73,6 +73,8 @@
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.util.Assert;
 
 /**
@@ -101,6 +103,9 @@ public <T> T postProcess(T object) {
 
 	};
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
 	private DefaultMethodSecurityExpressionHandler defaultMethodExpressionHandler = new DefaultMethodSecurityExpressionHandler();
 
 	private AuthenticationManager authenticationManager;
@@ -143,6 +148,7 @@ public MethodInterceptor methodSecurityInterceptor(MethodSecurityMetadataSource
 		this.methodSecurityInterceptor.setAccessDecisionManager(accessDecisionManager());
 		this.methodSecurityInterceptor.setAfterInvocationManager(afterInvocationManager());
 		this.methodSecurityInterceptor.setSecurityMetadataSource(methodSecurityMetadataSource);
+		this.methodSecurityInterceptor.setSecurityContextHolderStrategy(this.securityContextHolderStrategy);
 		RunAsManager runAsManager = runAsManager();
 		if (runAsManager != null) {
 			this.methodSecurityInterceptor.setRunAsManager(runAsManager);
@@ -411,6 +417,12 @@ public void setMethodSecurityExpressionHandler(List<MethodSecurityExpressionHand
 		this.expressionHandler = handlers.get(0);
 	}
 
+	@Autowired(required = false)
+	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 	@Override
 	public void setBeanFactory(BeanFactory beanFactory) throws BeansException {
 		this.context = beanFactory;

config/src/main/java/org/springframework/security/config/annotation/method/configuration/Jsr250MethodSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -25,6 +25,8 @@
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
 import org.springframework.security.authorization.method.Jsr250AuthorizationManager;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 
 /**
  * {@link Configuration} for enabling JSR-250 Spring Security Method Security.
@@ -40,15 +42,26 @@ final class Jsr250MethodSecurityConfiguration {
 
 	private final Jsr250AuthorizationManager jsr250AuthorizationManager = new Jsr250AuthorizationManager();
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	Advisor jsr250AuthorizationMethodInterceptor() {
-		return AuthorizationManagerBeforeMethodInterceptor.jsr250(this.jsr250AuthorizationManager);
+		AuthorizationManagerBeforeMethodInterceptor interceptor = AuthorizationManagerBeforeMethodInterceptor
+				.jsr250(this.jsr250AuthorizationManager);
+		interceptor.setSecurityContextHolderStrategy(this.securityContextHolderStrategy);
+		return interceptor;
 	}
 
 	@Autowired(required = false)
 	void setGrantedAuthorityDefaults(GrantedAuthorityDefaults grantedAuthorityDefaults) {
 		this.jsr250AuthorizationManager.setRolePrefix(grantedAuthorityDefaults.getRolePrefix());
 	}
 
+	@Autowired(required = false)
+	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 }

config/src/main/java/org/springframework/security/config/annotation/method/configuration/PrePostMethodSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -34,6 +34,7 @@
 import org.springframework.security.authorization.method.PreAuthorizeAuthorizationManager;
 import org.springframework.security.authorization.method.PreFilterAuthorizationMethodInterceptor;
 import org.springframework.security.config.core.GrantedAuthorityDefaults;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 
 /**
  * Base {@link Configuration} for enabling Spring Security Method Security.
@@ -49,61 +50,69 @@ final class PrePostMethodSecurityConfiguration implements ApplicationContextAwar
 
 	private final PreFilterAuthorizationMethodInterceptor preFilterAuthorizationMethodInterceptor = new PreFilterAuthorizationMethodInterceptor();
 
+	private final AuthorizationManagerBeforeMethodInterceptor preAuthorizeAuthorizationMethodInterceptor;
+
 	private final PreAuthorizeAuthorizationManager preAuthorizeAuthorizationManager = new PreAuthorizeAuthorizationManager();
 
+	private final AuthorizationManagerAfterMethodInterceptor postAuthorizeAuthorizaitonMethodInterceptor;
+
 	private final PostAuthorizeAuthorizationManager postAuthorizeAuthorizationManager = new PostAuthorizeAuthorizationManager();
 
 	private final PostFilterAuthorizationMethodInterceptor postFilterAuthorizationMethodInterceptor = new PostFilterAuthorizationMethodInterceptor();
 
 	private final DefaultMethodSecurityExpressionHandler expressionHandler = new DefaultMethodSecurityExpressionHandler();
 
-	private boolean customMethodSecurityExpressionHandler = false;
+	PrePostMethodSecurityConfiguration() {
+		this.preAuthorizeAuthorizationManager.setExpressionHandler(this.expressionHandler);
+		this.preAuthorizeAuthorizationMethodInterceptor = AuthorizationManagerBeforeMethodInterceptor
+				.preAuthorize(this.preAuthorizeAuthorizationManager);
+		this.postAuthorizeAuthorizationManager.setExpressionHandler(this.expressionHandler);
+		this.postAuthorizeAuthorizaitonMethodInterceptor = AuthorizationManagerAfterMethodInterceptor
+				.postAuthorize(this.postAuthorizeAuthorizationManager);
+		this.preFilterAuthorizationMethodInterceptor.setExpressionHandler(this.expressionHandler);
+		this.postFilterAuthorizationMethodInterceptor.setExpressionHandler(this.expressionHandler);
+	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	Advisor preFilterAuthorizationMethodInterceptor() {
-		if (!this.customMethodSecurityExpressionHandler) {
-			this.preAuthorizeAuthorizationManager.setExpressionHandler(this.expressionHandler);
-		}
 		return this.preFilterAuthorizationMethodInterceptor;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	Advisor preAuthorizeAuthorizationMethodInterceptor() {
-		if (!this.customMethodSecurityExpressionHandler) {
-			this.preAuthorizeAuthorizationManager.setExpressionHandler(this.expressionHandler);
-		}
-		return AuthorizationManagerBeforeMethodInterceptor.preAuthorize(this.preAuthorizeAuthorizationManager);
+		return this.preAuthorizeAuthorizationMethodInterceptor;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	Advisor postAuthorizeAuthorizationMethodInterceptor() {
-		if (!this.customMethodSecurityExpressionHandler) {
-			this.postAuthorizeAuthorizationManager.setExpressionHandler(this.expressionHandler);
-		}
-		return AuthorizationManagerAfterMethodInterceptor.postAuthorize(this.postAuthorizeAuthorizationManager);
+		return this.postAuthorizeAuthorizaitonMethodInterceptor;
 	}
 
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	Advisor postFilterAuthorizationMethodInterceptor() {
-		if (!this.customMethodSecurityExpressionHandler) {
-			this.postFilterAuthorizationMethodInterceptor.setExpressionHandler(this.expressionHandler);
-		}
 		return this.postFilterAuthorizationMethodInterceptor;
 	}
 
 	@Autowired(required = false)
 	void setMethodSecurityExpressionHandler(MethodSecurityExpressionHandler methodSecurityExpressionHandler) {
-		this.customMethodSecurityExpressionHandler = true;
 		this.preFilterAuthorizationMethodInterceptor.setExpressionHandler(methodSecurityExpressionHandler);
 		this.preAuthorizeAuthorizationManager.setExpressionHandler(methodSecurityExpressionHandler);
 		this.postAuthorizeAuthorizationManager.setExpressionHandler(methodSecurityExpressionHandler);
 		this.postFilterAuthorizationMethodInterceptor.setExpressionHandler(methodSecurityExpressionHandler);
 	}
 
+	@Autowired(required = false)
+	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy strategy) {
+		this.preFilterAuthorizationMethodInterceptor.setSecurityContextHolderStrategy(strategy);
+		this.preAuthorizeAuthorizationMethodInterceptor.setSecurityContextHolderStrategy(strategy);
+		this.postAuthorizeAuthorizaitonMethodInterceptor.setSecurityContextHolderStrategy(strategy);
+		this.postFilterAuthorizationMethodInterceptor.setSecurityContextHolderStrategy(strategy);
+	}
+
 	@Autowired(required = false)
 	void setGrantedAuthorityDefaults(GrantedAuthorityDefaults grantedAuthorityDefaults) {
 		this.expressionHandler.setDefaultRolePrefix(grantedAuthorityDefaults.getRolePrefix());

config/src/main/java/org/springframework/security/config/annotation/method/configuration/SecuredMethodSecurityConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2021 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -17,12 +17,15 @@
 package org.springframework.security.config.annotation.method.configuration;
 
 import org.springframework.aop.Advisor;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.config.BeanDefinition;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Role;
 import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.authorization.method.AuthorizationManagerBeforeMethodInterceptor;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 
 /**
  * {@link Configuration} for enabling {@link Secured} Spring Security Method Security.
@@ -36,10 +39,20 @@
 @Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 final class SecuredMethodSecurityConfiguration {
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
 	@Bean
 	@Role(BeanDefinition.ROLE_INFRASTRUCTURE)
 	Advisor securedAuthorizationMethodInterceptor() {
-		return AuthorizationManagerBeforeMethodInterceptor.secured();
+		AuthorizationManagerBeforeMethodInterceptor interceptor = AuthorizationManagerBeforeMethodInterceptor.secured();
+		interceptor.setSecurityContextHolderStrategy(this.securityContextHolderStrategy);
+		return interceptor;
+	}
+
+	@Autowired(required = false)
+	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
 	}
 
 }

config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java

@@ -33,6 +33,8 @@
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.config.annotation.web.configurers.DefaultLoginPageConfigurer;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter;
 
 import static org.springframework.security.config.Customizer.withDefaults;
@@ -58,6 +60,9 @@ class HttpSecurityConfiguration {
 
 	private ApplicationContext context;
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
 	@Autowired
 	void setObjectPostProcessor(ObjectPostProcessor<Object> objectPostProcessor) {
 		this.objectPostProcessor = objectPostProcessor;
@@ -77,6 +82,11 @@ void setApplicationContext(ApplicationContext context) {
 		this.context = context;
 	}
 
+	@Autowired(required = false)
+	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 	@Bean(HTTPSECURITY_BEAN_NAME)
 	@Scope("prototype")
 	HttpSecurity httpSecurity() throws Exception {
@@ -86,10 +96,12 @@ HttpSecurity httpSecurity() throws Exception {
 				this.objectPostProcessor, passwordEncoder);
 		authenticationBuilder.parentAuthenticationManager(authenticationManager());
 		HttpSecurity http = new HttpSecurity(this.objectPostProcessor, authenticationBuilder, createSharedObjects());
+		WebAsyncManagerIntegrationFilter webAsyncManagerIntegrationFilter = new WebAsyncManagerIntegrationFilter();
+		webAsyncManagerIntegrationFilter.setSecurityContextHolderStrategy(this.securityContextHolderStrategy);
 		// @formatter:off
 		http
 			.csrf(withDefaults())
-			.addFilter(new WebAsyncManagerIntegrationFilter())
+			.addFilter(webAsyncManagerIntegrationFilter)
 			.exceptionHandling(withDefaults())
 			.headers(withDefaults())
 			.sessionManagement(withDefaults())