Add SecurityContextHolderStrategy for Jaas

Issue gh-11060
Issue gh-11061

Author: jzheaux

config/src/main/java/org/springframework/security/config/http/HttpConfigurationBuilder.java

@@ -611,7 +611,8 @@ private void createJaasApiFilter() {
 			provideJaasApi = DEF_JAAS_API_PROVISION;
 		}
 		if ("true".equals(provideJaasApi)) {
-			this.jaasApiFilter = new RootBeanDefinition(JaasApiIntegrationFilter.class);
+			this.jaasApiFilter = BeanDefinitionBuilder.rootBeanDefinition(JaasApiIntegrationFilter.class)
+					.addPropertyValue("securityContextHolderStrategy", this.holderStrategyRef).getBeanDefinition();
 		}
 	}
 

core/src/main/java/org/springframework/security/authentication/jaas/SecurityContextLoginModule.java

@@ -28,6 +28,8 @@
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.util.Assert;
 
 /**
  * An implementation of {@link LoginModule} that uses a Spring Security
@@ -55,6 +57,9 @@ public class SecurityContextLoginModule implements LoginModule {
 
 	private static final Log log = LogFactory.getLog(SecurityContextLoginModule.class);
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
 	private Authentication authen;
 
 	private Subject subject;
@@ -93,6 +98,17 @@ public boolean commit() {
 		return true;
 	}
 
+	/**
+	 * Sets the {@link SecurityContextHolderStrategy} to use. The default action is to use
+	 * the {@link SecurityContextHolderStrategy} stored in {@link SecurityContextHolder}.
+	 *
+	 * @since 5.8
+	 */
+	public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 	Authentication getAuthentication() {
 		return this.authen;
 	}
@@ -129,7 +145,7 @@ public void initialize(Subject subject, CallbackHandler callbackHandler, Map sha
 	 */
 	@Override
 	public boolean login() throws LoginException {
-		this.authen = SecurityContextHolder.getContext().getAuthentication();
+		this.authen = this.securityContextHolderStrategy.getContext().getAuthentication();
 		if (this.authen != null) {
 			return true;
 		}

core/src/test/java/org/springframework/security/authentication/jaas/SecurityContextLoginModuleTests.java

@@ -29,9 +29,13 @@
 
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.security.core.context.SecurityContextImpl;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatExceptionOfType;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
 
 /**
  * Tests SecurityContextLoginModule
@@ -84,6 +88,18 @@ public void testLoginSuccess() throws Exception {
 				.withFailMessage("Principals should contain the authentication").isTrue();
 	}
 
+	@Test
+	public void loginWhenCustomSecurityContextHolderStrategyThenUses() throws Exception {
+		SecurityContextHolderStrategy securityContextHolderStrategy = mock(SecurityContextHolderStrategy.class);
+		given(securityContextHolderStrategy.getContext()).willReturn(new SecurityContextImpl(this.auth));
+		this.module.setSecurityContextHolderStrategy(securityContextHolderStrategy);
+		assertThat(this.module.login()).as("Login should succeed, there is an authentication set").isTrue();
+		assertThat(this.module.commit()).withFailMessage("The authentication is not null, this should return true")
+				.isTrue();
+		assertThat(this.subject.getPrincipals().contains(this.auth))
+				.withFailMessage("Principals should contain the authentication").isTrue();
+	}
+
 	@Test
 	public void testLogout() throws Exception {
 		SecurityContextHolder.getContext().setAuthentication(this.auth);

web/src/main/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilter.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2010-2021 the original author or authors.
+ * Copyright 2010-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -31,6 +31,8 @@
 import org.springframework.security.authentication.jaas.JaasAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.util.Assert;
 import org.springframework.web.filter.GenericFilterBean;
 
 /**
@@ -51,6 +53,9 @@
  */
 public class JaasApiIntegrationFilter extends GenericFilterBean {
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
 	private boolean createEmptySubject;
 
 	/**
@@ -113,7 +118,7 @@ public final void doFilter(ServletRequest request, ServletResponse response, Fil
 	 * available.
 	 */
 	protected Subject obtainSubject(ServletRequest request) {
-		Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+		Authentication authentication = this.securityContextHolderStrategy.getContext().getAuthentication();
 		this.logger.debug(LogMessage.format("Attempting to obtainSubject using authentication : %s", authentication));
 		if (authentication == null) {
 			return null;
@@ -143,4 +148,15 @@ public final void setCreateEmptySubject(boolean createEmptySubject) {
 		this.createEmptySubject = createEmptySubject;
 	}
 
+	/**
+	 * Sets the {@link SecurityContextHolderStrategy} to use. The default action is to use
+	 * the {@link SecurityContextHolderStrategy} stored in {@link SecurityContextHolder}.
+	 *
+	 * @since 5.8
+	 */
+	public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 }

web/src/test/java/org/springframework/security/web/jaasapi/JaasApiIntegrationFilterTests.java

@@ -48,8 +48,12 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+import org.springframework.security.core.context.SecurityContextImpl;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.BDDMockito.given;
+import static org.mockito.Mockito.mock;
 
 /**
  * Tests the JaasApiIntegrationFilter.
@@ -189,6 +193,14 @@ public void doFilterAuthenticationNull() throws Exception {
 		assertJaasSubjectEquals(new Subject());
 	}
 
+	@Test
+	public void doFilterUsesCustomSecurityContextHolderStrategy() throws Exception {
+		SecurityContextHolderStrategy strategy = mock(SecurityContextHolderStrategy.class);
+		given(strategy.getContext()).willReturn(new SecurityContextImpl(this.token));
+		this.filter.setSecurityContextHolderStrategy(strategy);
+		assertJaasSubjectEquals(this.authenticatedSubject);
+	}
+
 	private void assertJaasSubjectEquals(final Subject expectedValue) throws Exception {
 		MockFilterChain chain = new MockFilterChain() {
 			@Override