root
/
spring-security
mirror of https://github.com/spring-projects/spring-security.git
1
0
Fork 0
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Add SecurityContextHolderStrategy for Jaas 

Issue gh-11060
Issue gh-11061
This commit is contained in:
Josh Cummings 2022-06-27 16:58:52 -06:00
parent ec1bfa12f0
commit b316a3217b
No known key found for this signature in database
GPG Key ID: A306A51F43B8E5A5
5 changed files with 65 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java
View File

@ -610,7 +610,8 @@ class HttpConfigurationBuilder {
provideJaasApi = DEF_JAAS_API_PROVISION;
}
if ("true".equals(provideJaasApi)) {
this.jaasApiFilter = new RootBeanDefinition(JaasApiIntegrationFilter.class);
this.jaasApiFilter = BeanDefinitionBuilder.rootBeanDefinition(JaasApiIntegrationFilter.class)
.addPropertyValue("securityContextHolderStrategy", this.holderStrategyRef).getBeanDefinition();
}
}

18
core/src/main/java/org/springframework/security/authentication/jaas/SecurityContextLoginModule.java
View File

@ -28,6 +28,8 @@ import org.apache.commons.logging.LogFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.util.Assert;
/**
* An implementation of {@link LoginModule} that uses a Spring Security
@ -55,6 +57,9 @@ public class SecurityContextLoginModule implements LoginModule {
private static final Log log = LogFactory.getLog(SecurityContextLoginModule.class);
private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
.getContextHolderStrategy();
private Authentication authen;
private Subject subject;
@ -93,6 +98,17 @@ public class SecurityContextLoginModule implements LoginModule {
return true;
}
/**
* Sets the {@link SecurityContextHolderStrategy} to use. The default action is to use
* the {@link SecurityContextHolderStrategy} stored in {@link SecurityContextHolder}.
*
* @since 5.8
*/
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
this.securityContextHolderStrategy = securityContextHolderStrategy;
}
Authentication getAuthentication() {
return this.authen;
}
@ -129,7 +145,7 @@ public class SecurityContextLoginModule implements LoginModule {
*/
@Override
public boolean login() throws LoginException {
this.authen = SecurityContextHolder.getContext().getAuthentication();
this.authen = this.securityContextHolderStrategy.getContext().getAuthentication();
if (this.authen != null) {
return true;
}

16
core/src/test/java/org/springframework/security/authentication/jaas/SecurityContextLoginModuleTests.java
View File

@ -29,9 +29,13 @@ import org.junit.jupiter.api.Test;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.core.context.SecurityContextImpl;
import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
/**
* Tests SecurityContextLoginModule
@ -84,6 +88,18 @@ public class SecurityContextLoginModuleTests {
.withFailMessage("Principals should contain the authentication").isTrue();
}
@Test
public void loginWhenCustomSecurityContextHolderStrategyThenUses() throws Exception {
SecurityContextHolderStrategy securityContextHolderStrategy = mock(SecurityContextHolderStrategy.class);
given(securityContextHolderStrategy.getContext()).willReturn(new SecurityContextImpl(this.auth));
this.module.setSecurityContextHolderStrategy(securityContextHolderStrategy);
assertThat(this.module.login()).as("Login should succeed, there is an authentication set").isTrue();
assertThat(this.module.commit()).withFailMessage("The authentication is not null, this should return true")
.isTrue();
assertThat(this.subject.getPrincipals().contains(this.auth))
.withFailMessage("Principals should contain the authentication").isTrue();
}
@Test
public void testLogout() throws Exception {
SecurityContextHolder.getContext().setAuthentication(this.auth);

20
web/src/main/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilter.java
View File

@ -1,5 +1,5 @@
/*
* Copyright 2010-2021 the original author or authors.
* Copyright 2010-2022 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -32,6 +32,8 @@ import org.springframework.core.log.LogMessage;
import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.util.Assert;
import org.springframework.web.filter.GenericFilterBean;
/**
@ -52,6 +54,9 @@ import org.springframework.web.filter.GenericFilterBean;
*/
public class JaasApiIntegrationFilter extends GenericFilterBean {
private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
.getContextHolderStrategy();
private boolean createEmptySubject;
/**
@ -114,7 +119,7 @@ public class JaasApiIntegrationFilter extends GenericFilterBean {
* available.
*/
protected Subject obtainSubject(ServletRequest request) {
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication();
this.logger.debug(LogMessage.format("Attempting to obtainSubject using authentication : %s", authentication));
if (authentication == null) {
return null;
@ -144,4 +149,15 @@ public class JaasApiIntegrationFilter extends GenericFilterBean {
this.createEmptySubject = createEmptySubject;
}
/**
* Sets the {@link SecurityContextHolderStrategy} to use. The default action is to use
* the {@link SecurityContextHolderStrategy} stored in {@link SecurityContextHolder}.
*
* @since 5.8
*/
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
this.securityContextHolderStrategy = securityContextHolderStrategy;
}
}

12
web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTests.java
View File

@ -48,8 +48,12 @@ import org.springframework.security.authentication.jaas.TestLoginModule;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.AuthorityUtils;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.context.SecurityContextHolderStrategy;
import org.springframework.security.core.context.SecurityContextImpl;
import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.BDDMockito.given;
import static org.mockito.Mockito.mock;
/**
* Tests the JaasApiIntegrationFilter.
@ -189,6 +193,14 @@ public class JaasApiIntegrationFilterTests {
assertJaasSubjectEquals(new Subject());
}
@Test
public void doFilterUsesCustomSecurityContextHolderStrategy() throws Exception {
SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
given(strategy.getContext()).willReturn(new SecurityContextImpl(this.token));
this.filter.setSecurityContextHolderStrategy(strategy);
assertJaasSubjectEquals(this.authenticatedSubject);
}
private void assertJaasSubjectEquals(final Subject expectedValue) throws Exception {
MockFilterChain chain = new MockFilterChain() {
@Override