Open
Description
Describe the bug
Spring Security uses RequestAttributeSecurityContextRepository instead of the NullSecurityContextRepository for Stateless sessions.
To Reproduce
Run the program with minimal configuration:
@Configuration
class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http, UserDetailsService userDetailsService) throws Exception {
http.authorizeHttpRequests(requests -> requests
.anyRequest().authenticated()
);
http.userDetailsService(userDetailsService);
http.httpBasic(Customizer.withDefaults());
http.sessionManagement(sessionConfig -> sessionConfig.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
http.csrf(csrfCustomizer -> csrfCustomizer.disable());
return http.build();
}
@Bean
UserDetailsService userDetailsService() {
InMemoryUserDetailsManager inMemoryUserDetailsManager = new InMemoryUserDetailsManager();
inMemoryUserDetailsManager.createUser(
User.builder().username("john").password("pass").roles("USER").build()
);
return inMemoryUserDetailsManager;
}
}Expected behavior
According to the documentation, Spring should use NullSecurityContextRepository but RequestAttributeSecurityContextRepository is used instead
Sample
There is a test in below repository that checks SecurityContextRepository used by BasicAuthenticationFilter
https://github.com/slawekludwiczak/spring-security-basic-repository
PS. maybe I don't understand something, but it is a bit weird for me that for Stateless sessions there is SessionManagementFilter registered