Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use SecurityContextHolderStrategy for defaults #11062

Merged
merged 3 commits into from
Jun 17, 2022
Merged

Use SecurityContextHolderStrategy for defaults #11062

merged 3 commits into from
Jun 17, 2022

Conversation

jzheaux
Copy link
Contributor

@jzheaux jzheaux commented Apr 5, 2022
edited
Loading

This introduces support for a SecurityContextHolderStrategy bean when used with the minimal configuration:

http
    .authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
    .formLogin(Customizer.withDefaults())
    .httpBasic(Customizer.withDefaults())

as well as

http
    .authorizeRequests((authorize) -> authorize.anyRequest().authenticated())
    .formLogin(Customizer.withDefaults())
    .httpBasic(Customizer.withDefaults())

including the subsequent lookup of the SecurityContext using @AuthenticationPrincipal.

@jzheaux jzheaux mentioned this pull request Apr 5, 2022
Closed
@jzheaux jzheaux force-pushed the use-security-context-holder-strategy-form-login branch from bde3b57 to 3ddbee0 Compare April 5, 2022 23:42
@jzheaux jzheaux self-assigned this Apr 7, 2022
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Apr 7, 2022
@jzheaux jzheaux added this to the 5.7.0-RC1 milestone Apr 7, 2022
@jzheaux jzheaux requested a review from rwinch April 7, 2022 23:47
@jzheaux jzheaux modified the milestones: 5.7.0-RC1, 6.0.0-M4 Apr 13, 2022
@sjohnr sjohnr modified the milestones: 6.0.0-M4, 6.0.0-M5, 6.0.0-M6 May 16, 2022
@jzheaux jzheaux force-pushed the use-security-context-holder-strategy-form-login branch from 3ddbee0 to 9c68f2f Compare May 25, 2022 20:00
@jzheaux jzheaux modified the milestones: 6.0.0-M6, 5.8.x May 25, 2022
@jzheaux jzheaux changed the base branch from 5.7.x to 5.8.x May 25, 2022 20:01
@jzheaux jzheaux force-pushed the use-security-context-holder-strategy-form-login branch from 740ec1f to eba2699 Compare May 26, 2022 22:12
@jzheaux jzheaux modified the milestones: 5.8.x, 5.8.0-M1 May 27, 2022
@jzheaux jzheaux force-pushed the use-security-context-holder-strategy-form-login branch from 4515abd to 547d761 Compare June 1, 2022 22:13
rwinch
rwinch requested changes Jun 10, 2022
View reviewed changes
...rg/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java Outdated
*/
public SecurityContextConfigurer<H> securityContextHolderStrategy(
SecurityContextHolderStrategy securityContextHolderStrategy) {
getBuilder().setSharedObject(SecurityContextHolderStrategy.class, securityContextHolderStrategy);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a concern that the HttpSecurity and AuthenticationPrincipalArgumentResolver may have different SecurityContextHoderStrategy associated with them.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll leave the DSL support out for now. It would be rather unexpected to use a different SecurityContextHolderStrategy for each filter chain. That said, if this turns out to be needed, the argument resolver could possibly be updated to look at the request attribute to get the security context.

@jzheaux jzheaux force-pushed the use-security-context-holder-strategy-form-login branch from 03110cd to c6bba62 Compare June 16, 2022 20:27
@jzheaux jzheaux merged commit 2a70707 into spring-projects:5.8.x Jun 17, 2022
@jzheaux jzheaux deleted the use-security-context-holder-strategy-form-login branch June 17, 2022 17:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@marcusdacoregio marcusdacoregio marcusdacoregio left review comments

@rwinch rwinch rwinch requested changes

Assignees

@jzheaux jzheaux

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
Spring Security Team
Status: Done
Milestone
5.8.0-M1
Development

Successfully merging this pull request may close these issues.
4 participants
@jzheaux @rwinch @marcusdacoregio @sjohnr