SEC-2932: SecurityContextConfigurer defaults SecurityContextRepository

config/src/main/java/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurer.java

@@ -20,6 +20,7 @@ import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.context.SecurityContextRepository;
 
@@ -85,6 +86,9 @@ public final class SecurityContextConfigurer<H extends HttpSecurityBuilder<H>> e
 
 		SecurityContextRepository securityContextRepository = http
 				.getSharedObject(SecurityContextRepository.class);
+		if(securityContextRepository == null) {
+			securityContextRepository = new HttpSessionSecurityContextRepository();
+		}
 		SecurityContextPersistenceFilter securityContextFilter = new SecurityContextPersistenceFilter(
 				securityContextRepository);
 		SessionManagementConfigurer<?> sessionManagement = http

config/src/test/groovy/org/springframework/security/config/annotation/web/configurers/SecurityContextConfigurerTests.groovy

@@ -24,6 +24,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWe
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter
 import org.springframework.security.web.context.SecurityContextPersistenceFilter
 import org.springframework.security.web.context.SecurityContextRepository
+import org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter
 
 /**
  *
@@ -67,4 +68,44 @@ class SecurityContextConfigurerTests extends BaseSpringSpec {
 				.securityContext()
 		}
 	}
+
+	def 'SEC-2932: SecurityContextConfigurer defaults SecurityContextRepository'() {
+		setup: 'Configuration without default SecurityContextRepository setup'
+		loadConfig(SecurityContextRepositoryDefaultsSecurityContextRepositoryConfig)
+		when: 'Spring Security invoked'
+		springSecurityFilterChain.doFilter(request,response,chain)
+		then: 'no exception thrown'
+		noExceptionThrown()
+	}
+
+	@Configuration
+	@EnableWebSecurity
+	static class SecurityContextRepositoryDefaultsSecurityContextRepositoryConfig extends WebSecurityConfigurerAdapter {
+		public SecurityContextRepositoryDefaultsSecurityContextRepositoryConfig() {
+			super(true);
+		}
+
+		@Override
+		protected void configure(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.addFilter(new WebAsyncManagerIntegrationFilter())
+				.anonymous().and()
+				.securityContext().and()
+				.authorizeRequests()
+					.anyRequest().permitAll()
+					.and()
+				.httpBasic();
+			// @formatter:on
+		}
+
+		// @formatter:off
+		@Override
+		protected void configure(AuthenticationManagerBuilder auth) {
+			auth
+			.inMemoryAuthentication()
+			.withUser("user").password("password").roles("USER")
+		}
+		// @formatter:on
+	}
 }