CasAuthenticationFilter.successfulAuthentication missing call to securityContextRepository.saveContext #13243
Comments
tokarls
added
status: waiting-for-triage
marcusdacoregio
added
in: cas
|
Hi @marcusdacoregio, can i try this? |
marcusdacoregio
added a commit
to marcusdacoregio/spring-security
that referenced
this issue
Jun 1, 2023
|
Hi @Anubhav-2000, yes, the issue is yours. Ideally, I think we should keep a reference of the private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();;
public CasAuthenticationFilter() {
super("/login/cas");
setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
setSecurityContextRepository(this.securityContextRepository);
}
// ...
@Override
protected final void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
FilterChain chain, Authentication authResult) throws IOException, ServletException {
// ...
SecurityContext context = SecurityContextHolder.createEmptyContext();
context.setAuthentication(authResult);
SecurityContextHolder.setContext(context);
this.securityContextRepository.saveContext(context, request, response);
// ...
}Then, in 6.2, we can override the setter method and update both references. |
|
Thanks @marcusdacoregio , i have not overridden the setter method and done the rest of the changes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
org.springframework.security.cas.web.CasAuthenticationFilter.successfulAuthenticationseems to be missing a call tosecurityContextRepository.saveContextas per the Spring 6 migration document. I think this makes the filter completely unusable on Spring6/Boot3 and begs to question if theCasAuthenticationFiltercode is production ready for Spring 6 otherwise.To Reproduce
Use the filter
Expected behavior
SecurityContext is saved between requests :)
The text was updated successfully, but these errors were encountered: