Skip to content

SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
m-ibot opened this issue Jan 24, 2023 · 1 comment
Assignees
Labels
in: config An issue in spring-security-config type: bug A general bug
Milestone

Comments

@m-ibot
Copy link
Contributor

m-ibot commented Jan 24, 2023

Describe the bug

A custom SecurityContextRepository that is configured for a SecurityFilterChain will be ignored by SessionManagementConfigurer/SessionManagementFilter. Instead the SessionManagementFilter uses the default HttpSessionSecurityContextRepository.

This happens in Spring Security 6.0.x. The issue did not appear in Spring Security 5.7.x.

The SessionManagementFilter is created when the method SessionManagementConfigurer#configure(H http) is called (see here).

In Spring Security 5.7.x the SecurityContextRepository is determined by calling http.getSharedObject(SecurityContextRepository.class).

SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository, getSessionAuthenticationStrategy(http));
// ....

In Spring Security 6.0.x this behavior changed. this.sessionManagementSecurityContextRepository is passed for the SessionManagementFilter constructor.
See SessionManagementConfigurer

SecurityContextRepository securityContextRepository = this.sessionManagementSecurityContextRepository;
SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository, getSessionAuthenticationStrategy(http));

The default value for this.sessionManagementSecurityContextRepository is new HttpSessionSecurityContextRepository(). This value is only overwritten in SessionManagementConfigurer#init(H http) (see here). But NOT, if SecurityContextRepository from http.getSharedObject(SecurityContextRepository.class) is null

SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
	boolean stateless = isStateless();
	if (securityContextRepository == null) {
		// this.sessionManagementSecurityContextRepository is set
	}
	// No else case, where
	// this.sessionManagementSecurityContextRepository = securityContextRepository;

To Reproduce

Set a custom SecurityContextRepository in a SecurityFilterChain:

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
        .and()
        .securityContext().securityContextRepository(new MySecurityContextRepositoryImpl()); // <- set custom SecurityContextRepository
    return http.build();
  }

Unfortunately, this setting does not have any affect on SessionManagementFilter.

Expected behavior
The custom SecurityContextRepository is passed to SessionManagementFilter's constructor.

@m-ibot
Copy link
Contributor Author

m-ibot commented Jan 25, 2023

I created a pull request (#12583) for this issue.

If the else case in SessionManagementConfigurer is missing, the test will fail, because the SessionManagementFilter will call the containsContext method of another SecurityContextRepository but not the configured one. With the implemented else case, this issue should be solved

@jzheaux jzheaux self-assigned this Jan 25, 2023
@jzheaux jzheaux added in: config An issue in spring-security-config and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 25, 2023
@jzheaux jzheaux added this to the 6.0.2 milestone Jan 25, 2023
Artur- added a commit to vaadin/flow that referenced this issue Feb 2, 2023
Workaround for spring-projects/spring-security#12579 until it is included in a release
Artur- added a commit to vaadin/flow that referenced this issue Feb 2, 2023
…on (#15804)

The shared objects need to be available when other configurers are run and because of spring-projects/spring-security#12579 a workaround is needed to actually apply the correct SecurityContextRepository

Fixes vaadin/hilla#681
m-ibot added a commit to m-ibot/spring-security that referenced this issue Feb 2, 2023
@jzheaux jzheaux closed this as completed in 7dd5cc6 Feb 7, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: config An issue in spring-security-config type: bug A general bug
Projects
None yet
Development

No branches or pull requests

2 participants