Closed
Description
If an HttpSession already exists, then HttpSecurityContextRepository will save @Transient Authentication but should not. An example test:
@Test
public void saveContextWhenTransientAuthenticationAndSessionExistsThenSkipped() {
HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
MockHttpServletRequest request = new MockHttpServletRequest();
request.getSession(); // ensure the session exists
MockHttpServletResponse response = new MockHttpServletResponse();
HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
SecurityContext context = repo.loadContext(holder);
SomeTransientAuthentication authentication = new SomeTransientAuthentication();
context.setAuthentication(authentication);
repo.saveContext(context, holder.getRequest(), holder.getResponse());
MockHttpSession session = (MockHttpSession) request.getSession(false);
assertThat(Collections.list(session.getAttributeNames())).isEmpty();
}