From 942b51dba754817cc1fb5bec08aab95af35c481c Mon Sep 17 00:00:00 2001 From: Rob Winch Date: Wed, 15 Nov 2017 09:59:51 -0600 Subject: [PATCH] Reactive Basic does not create session by default Fixes: gh-4825 --- .../config/web/server/SecurityWebFiltersOrder.java | 8 ++++---- .../security/config/web/server/ServerHttpSecurity.java | 3 --- .../config/web/server/ServerHttpSecurityTests.java | 2 +- .../server/authentication/AuthenticationWebFilter.java | 4 +++- 4 files changed, 8 insertions(+), 9 deletions(-) diff --git a/config/src/main/java/org/springframework/security/config/web/server/SecurityWebFiltersOrder.java b/config/src/main/java/org/springframework/security/config/web/server/SecurityWebFiltersOrder.java index 3d2e6be3ac..fc68e28f7d 100644 --- a/config/src/main/java/org/springframework/security/config/web/server/SecurityWebFiltersOrder.java +++ b/config/src/main/java/org/springframework/security/config/web/server/SecurityWebFiltersOrder.java @@ -27,6 +27,10 @@ public enum SecurityWebFiltersOrder { * {@link org.springframework.security.web.server.csrf.CsrfWebFilter} */ CSRF, + /** + * {@link org.springframework.security.web.server.context.ReactorContextWebFilter} + */ + REACTOR_CONTEXT, /** * Instance of AuthenticationWebFilter */ @@ -36,10 +40,6 @@ public enum SecurityWebFiltersOrder { */ FORM_LOGIN, AUTHENTICATION, - /** - * {@link org.springframework.security.web.server.context.ReactorContextWebFilter} - */ - REACTOR_CONTEXT, LOGIN_PAGE_GENERATING, LOGOUT_PAGE_GENERATING, /** diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java index 4e2bc2571f..99d5fc3cce 100644 --- a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java +++ b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java @@ -229,9 +229,6 @@ public class ServerHttpSecurity { } if(this.httpBasic != null) { this.httpBasic.authenticationManager(this.authenticationManager); - if(this.securityContextRepository != null) { - this.httpBasic.securityContextRepository(this.securityContextRepository); - } this.httpBasic.configure(this); } if(this.formLogin != null) { diff --git a/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java b/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java index a04d9ba717..a993d53d01 100644 --- a/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java +++ b/config/src/test/java/org/springframework/security/config/web/server/ServerHttpSecurityTests.java @@ -100,7 +100,7 @@ public class ServerHttpSecurityTests { .expectBody(String.class).consumeWith(b -> assertThat(b.getResponseBody()).isEqualTo("ok")) .returnResult(); - assertThat(result.getResponseCookies().getFirst("SESSION")).isNotNull(); + assertThat(result.getResponseCookies().getFirst("SESSION")).isNull(); } @Test diff --git a/web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java b/web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java index da3096b45f..ba359c9eab 100644 --- a/web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java +++ b/web/src/main/java/org/springframework/security/web/server/authentication/AuthenticationWebFilter.java @@ -18,6 +18,7 @@ package org.springframework.security.web.server.authentication; import java.util.function.Function; import org.springframework.security.core.AuthenticationException; +import org.springframework.security.core.context.ReactiveSecurityContextHolder; import reactor.core.publisher.Mono; import org.springframework.security.authentication.ReactiveAuthenticationManager; @@ -82,7 +83,8 @@ public class AuthenticationWebFilter implements WebFilter { securityContext.setAuthentication(authentication); return this.securityContextRepository.save(exchange, securityContext) .then(this.authenticationSuccessHandler - .onAuthenticationSuccess(webFilterExchange, authentication)); + .onAuthenticationSuccess(webFilterExchange, authentication)) + .subscriberContext(ReactiveSecurityContextHolder.withSecurityContext(Mono.just(securityContext))); } public void setSecurityContextRepository(