Skip to content

SEC-3211: SecurityContextRequestPostProcessorSupport dirties context and causes side effects #3409

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
spring-projects-issues opened this issue Feb 2, 2016 · 3 comments
Closed

SEC-3211: SecurityContextRequestPostProcessorSupport dirties context and causes side effects #3409

spring-projects-issues opened this issue Feb 2, 2016 · 3 comments
Assignees
@rwinch
Labels
in: test An issue in spring-security-test type: bug A general bug type: jira An issue that was migrated from JIRA
Milestone
4.1.0 RC2

Comments

@spring-projects-issues
Copy link

Martin Bonato (Migrated from SEC-3211) said:

Using SecurityMockMvcRequestPostProcessors like authentication(), securityContext(), testSecurityContext(), user(), etc. in unit tests might cause side effects on other tests in the same application context.

SecurityMockMvcRequestPostProcessors.SecurityContextRequestPostProcessorSupport.save(SecurityContext, HttpServletRequest) calls WebTestUtils.setSecurityContextRepository(HttpServletRequest, SecurityContextRepository) to set a TestSecurityContextRepository in the SecurityContextPersistenceFilter registered in the application context. This dirties the context, because a registered bean (SecurityContextPersistenceFilter) is modified such that it causes side effects.

Since the side effects are rather rare and seem to show up randomly, it took me a while to track down the issue.

Here is an example of two unit tests where the first unit test influences the second:

    @Test
    @WithMockUser
    public void test1() throws Exception {
        mvc.perform(get("/"))//
                .andExpect(authenticated().withRoles("USER"));
    }

    // fails if executed after test1 in the same context
    @Test
    public void test2() throws Exception {
        mvc.perform(get("/"))//
            .andExpect(unauthenticated());
    }

If test2() is executed in its own application context it succeeds, since the default HttpSessionSecurityContexRepository used by the SecurityContextPersistenceFilter does not store anonymous authentication tokens. However, if test2() is executed after test1() in the same context it fails, because @WithMocUser caused the TestSecurityContextRepository to be registered which stores anonymous authentication tokens.
@spring-projects-issues spring-projects-issues added in: test An issue in spring-security-test Open type: bug A general bug type: jira An issue that was migrated from JIRA labels Feb 5, 2016
@spring-projects-issues spring-projects-issues added this to the 4.1.0 M1 milestone Feb 5, 2016
@rwinch rwinch changed the title SEC-3211: SecurityContextRequestPostProcessorSupport dirties context and causes side effekts SEC-3211: SecurityContextRequestPostProcessorSupport dirties context and causes side effects Mar 1, 2016
@rwinch
Copy link
Member

rwinch commented Mar 21, 2016

@mbonato Thanks for reporting SEC-3211. We migrated all our issues on GitHub.

I'm running this with the latest version of Spring Security and unable to reproduce an issue. Can you expand on the problem you are encountering?

@rwinch rwinch added the status: waiting-for-feedback We need additional information before we can continue label Mar 21, 2016
@rwinch rwinch self-assigned this Mar 21, 2016
@rwinch rwinch modified the milestones: 4.1.0 RC1, 4.0 Backlog Mar 22, 2016
@mbonato
Copy link

mbonato commented Apr 13, 2016

@rwinch I've created a test case for the issue: https://github.com/primesign/spring-security-issue3409. The test case still fails with the current release candidate 4.1.0.RC1.

@rwinch rwinch modified the milestones: 4.1.0 RC2, 4.0 Backlog Apr 14, 2016
@rwinch rwinch removed the status: waiting-for-feedback We need additional information before we can continue label Apr 14, 2016
@rwinch rwinch mentioned this issue Apr 14, 2016
Merged
@rwinch
Copy link
Member

rwinch commented Apr 14, 2016

@mbonato Thanks for the sample application. The problem appears to only happen when accessing public URLs. I created a PR to address this. See #3818

rwinch pushed a commit to rwinch/spring-security that referenced this issue Apr 19, 2016
Fix unauthenitcated() and AnonymousAuthenticationToken
b2b53f7 
Previously if unauthenticated() experienced an AnonymousAuthenticationToken
it would not match.

This commit ensures that if the user is anonymous (not just null)
unauthenticated() works.

Fixes spring-projectsgh-3409
jgrandja added a commit that referenced this issue Apr 19, 2016
@jgrandja
Merge pull request #3818 from rwinch/gh-3409-unauthenticated
b0028d4 
Fix unauthenitcated() and AnonymousAuthenticationToken
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: test An issue in spring-security-test type: bug A general bug type: jira An issue that was migrated from JIRA
Projects
None yet
Milestone
4.1.0 RC2
Development

No branches or pull requests
3 participants
@rwinch @mbonato @spring-projects-issues