Skip to content

HttpSecurityContextRepository saves @Transient Authentication if HttpSession already exists #9992

New issue
New issue
Closed
Closed
HttpSecurityContextRepository saves @Transient Authentication if HttpSession already exists#9992
Assignees
rwinch
Labels
in: webAn issue in web modules (web, webmvc)type: bugA general bug
@rwinch

Description

@rwinch
rwinch
opened on Jun 23, 2021

If an HttpSession already exists, then HttpSecurityContextRepository will save @Transient Authentication but should not. An example test:

@Test
public void saveContextWhenTransientAuthenticationAndSessionExistsThenSkipped() {
	HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
	MockHttpServletRequest request = new MockHttpServletRequest();
	request.getSession(); // ensure the session exists
	MockHttpServletResponse response = new MockHttpServletResponse();
	HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
	SecurityContext context = repo.loadContext(holder);
	SomeTransientAuthentication authentication = new SomeTransientAuthentication();
	context.setAuthentication(authentication);
	repo.saveContext(context, holder.getRequest(), holder.getResponse());
	MockHttpSession session = (MockHttpSession) request.getSession(false);
	assertThat(Collections.list(session.getAttributeNames())).isEmpty();
}

Metadata

Metadata

Assignees

Labels

in: webAn issue in web modules (web, webmvc)type: bugA general bug

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions