Skip to content

SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
m-ibot opened this issue Jan 24, 2023 · 1 comment
Closed

SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12579

m-ibot opened this issue Jan 24, 2023 · 1 comment
Assignees
@jzheaux
Labels
in: config An issue in spring-security-config type: bug A general bug
Milestone
6.0.2

Comments

@m-ibot
Copy link
Contributor

m-ibot commented Jan 24, 2023

Describe the bug

A custom SecurityContextRepository that is configured for a SecurityFilterChain will be ignored by SessionManagementConfigurer/SessionManagementFilter. Instead the SessionManagementFilter uses the default HttpSessionSecurityContextRepository.

This happens in Spring Security 6.0.x. The issue did not appear in Spring Security 5.7.x.

The SessionManagementFilter is created when the method SessionManagementConfigurer#configure(H http) is called (see here).

In Spring Security 5.7.x the SecurityContextRepository is determined by calling http.getSharedObject(SecurityContextRepository.class).

SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository, getSessionAuthenticationStrategy(http));
// ....

In Spring Security 6.0.x this behavior changed. this.sessionManagementSecurityContextRepository is passed for the SessionManagementFilter constructor.
See SessionManagementConfigurer

SecurityContextRepository securityContextRepository = this.sessionManagementSecurityContextRepository;
SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository, getSessionAuthenticationStrategy(http));

The default value for this.sessionManagementSecurityContextRepository is new HttpSessionSecurityContextRepository(). This value is only overwritten in SessionManagementConfigurer#init(H http) (see here). But NOT, if SecurityContextRepository from http.getSharedObject(SecurityContextRepository.class) is null

SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
	boolean stateless = isStateless();
	if (securityContextRepository == null) {
		// this.sessionManagementSecurityContextRepository is set
	}
	// No else case, where
	// this.sessionManagementSecurityContextRepository = securityContextRepository;

To Reproduce

Set a custom SecurityContextRepository in a SecurityFilterChain:

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
        .and()
        .securityContext().securityContextRepository(new MySecurityContextRepositoryImpl()); // <- set custom SecurityContextRepository
    return http.build();
  }

Unfortunately, this setting does not have any affect on SessionManagementFilter.

Expected behavior
The custom SecurityContextRepository is passed to SessionManagementFilter's constructor.
@m-ibot m-ibot added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Jan 24, 2023
@m-ibot m-ibot mentioned this issue Jan 25, 2023
Merged
@m-ibot
Copy link
Contributor Author

m-ibot commented Jan 25, 2023

I created a pull request (#12583) for this issue.

If the else case in SessionManagementConfigurer is missing, the test will fail, because the SessionManagementFilter will call the containsContext method of another SecurityContextRepository but not the configured one. With the implemented else case, this issue should be solved

@jzheaux jzheaux self-assigned this Jan 25, 2023
@jzheaux jzheaux added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 25, 2023
@jzheaux jzheaux added this to the 6.0.2 milestone Jan 25, 2023
Artur- added a commit to vaadin/flow that referenced this issue Feb 2, 2023
@Artur-
fix: Hilla stateless authentication
77574d3 
Workaround for spring-projects/spring-security#12579 until it is included in a release
@Artur- Artur- mentioned this issue Feb 2, 2023
Merged
Artur- added a commit to vaadin/flow that referenced this issue Feb 2, 2023
@Artur-
fix: Use correct SecurityContextRepository for stateless authenticati…
7149f77 
…on (#15804)

The shared objects need to be available when other configurers are run and because of spring-projects/spring-security#12579 a workaround is needed to actually apply the correct SecurityContextRepository

Fixes vaadin/hilla#681
m-ibot added a commit to m-ibot/spring-security that referenced this issue Feb 2, 2023
@m-ibot
Pick Up Custom SecurityContextRespository
e413625 
Closes spring-projectsgh-12579
@jzheaux jzheaux mentioned this issue Feb 7, 2023
Closed
@jzheaux jzheaux closed this as completed in 7dd5cc6 Feb 7, 2023
@mcollovati mcollovati mentioned this issue Mar 20, 2024
Merged
9 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jzheaux jzheaux

Labels
in: config An issue in spring-security-config type: bug A general bug
Projects
None yet
Milestone
6.0.2
Development

No branches or pull requests
2 participants
@jzheaux @m-ibot