Skip to content

Commit 269c711

Browse files
rwinchrwinch
committed
RequestAttributeSecurityContextRepository never null SecurityContext
Previously loadContext(HttpServletRequest) could return a Supplier that returned a null SecurityContext This commit ensures that null is never returned by the Supplier by returning SecurityContextHolder.createEmptyContext() instead. Closes gh-11606
1 parent 99f768b commit 269c711

File tree

2 files changed

+27
-4
lines changed

2 files changed

+27
-4
lines changed

web/src/main/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepository.java

+12-4
Original file line numberDiff line numberDiff line change
@@ -66,18 +66,26 @@ public RequestAttributeSecurityContextRepository(String requestAttributeName) {
6666

6767
@Override
6868
public boolean containsContext(HttpServletRequest request) {
69-
return loadContext(request).get() != null;
69+
return getContext(request) != null;
7070
}
7171

7272
@Override
7373
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
74-
SecurityContext context = loadContext(requestResponseHolder.getRequest()).get();
75-
return (context != null) ? context : SecurityContextHolder.createEmptyContext();
74+
return getContextOrEmpty(requestResponseHolder.getRequest());
7675
}
7776

7877
@Override
7978
public Supplier<SecurityContext> loadContext(HttpServletRequest request) {
80-
return () -> (SecurityContext) request.getAttribute(this.requestAttributeName);
79+
return () -> getContextOrEmpty(request);
80+
}
81+
82+
private SecurityContext getContextOrEmpty(HttpServletRequest request) {
83+
SecurityContext context = getContext(request);
84+
return (context != null) ? context : SecurityContextHolder.createEmptyContext();
85+
}
86+
87+
private SecurityContext getContext(HttpServletRequest request) {
88+
return (SecurityContext) request.getAttribute(this.requestAttributeName);
8189
}
8290

8391
@Override

web/src/test/java/org/springframework/security/web/context/RequestAttributeSecurityContextRepositoryTests.java

+15
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@
1616

1717
package org.springframework.security.web.context;
1818

19+
import java.util.function.Supplier;
20+
1921
import org.junit.jupiter.api.Test;
2022

2123
import org.springframework.mock.web.MockHttpServletRequest;
@@ -67,4 +69,17 @@ void containsContextWhenSavedThenTrue() {
6769
assertThat(this.repository.containsContext(this.request)).isTrue();
6870
}
6971

72+
@Test
73+
void loadDeferredContextWhenNotPresentThenEmptyContext() {
74+
Supplier<SecurityContext> deferredContext = this.repository.loadContext(this.request);
75+
assertThat(deferredContext.get()).isEqualTo(SecurityContextHolder.createEmptyContext());
76+
}
77+
78+
@Test
79+
void loadContextWhenNotPresentThenEmptyContext() {
80+
SecurityContext context = this.repository
81+
.loadContext(new HttpRequestResponseHolder(this.request, this.response));
82+
assertThat(context).isEqualTo(SecurityContextHolder.createEmptyContext());
83+
}
84+
7085
}

0 commit comments

Comments
 (0)