Add SecurityContextHolderStrategy Test Support

Issue gh-11061
Issue gh-11444

Author: jzheaux

test/src/main/java/org/springframework/security/test/context/TestSecurityContextHolderStrategyAdapter.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2002-2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.test.context;
+
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
+
+public final class TestSecurityContextHolderStrategyAdapter implements SecurityContextHolderStrategy {
+
+	@Override
+	public void clearContext() {
+		TestSecurityContextHolder.clearContext();
+	}
+
+	@Override
+	public SecurityContext getContext() {
+		return TestSecurityContextHolder.getContext();
+	}
+
+	@Override
+	public void setContext(SecurityContext context) {
+		TestSecurityContextHolder.setContext(context);
+	}
+
+	@Override
+	public SecurityContext createEmptyContext() {
+		return SecurityContextHolder.createEmptyContext();
+	}
+
+}

test/src/main/java/org/springframework/security/test/context/support/WithAnonymousUserSecurityContextFactory.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2014 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -18,12 +18,14 @@
 
 import java.util.List;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.AnonymousAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.AuthorityUtils;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 
 /**
  * A {@link WithAnonymousUserSecurityContextFactory} that runs with an
@@ -35,13 +37,21 @@
  */
 final class WithAnonymousUserSecurityContextFactory implements WithSecurityContextFactory<WithAnonymousUser> {
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
 	@Override
 	public SecurityContext createSecurityContext(WithAnonymousUser withUser) {
 		List<GrantedAuthority> authorities = AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS");
 		Authentication authentication = new AnonymousAuthenticationToken("key", "anonymous", authorities);
-		SecurityContext context = SecurityContextHolder.createEmptyContext();
+		SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();
 		context.setAuthentication(authentication);
 		return context;
 	}
 
+	@Autowired(required = false)
+	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 }

test/src/main/java/org/springframework/security/test/context/support/WithMockUserSecurityContextFactory.java

@@ -20,12 +20,14 @@
 import java.util.Arrays;
 import java.util.List;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.util.Assert;
 import org.springframework.util.StringUtils;
@@ -39,6 +41,9 @@
  */
 final class WithMockUserSecurityContextFactory implements WithSecurityContextFactory<WithMockUser> {
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
 	@Override
 	public SecurityContext createSecurityContext(WithMockUser withUser) {
 		String username = StringUtils.hasLength(withUser.username()) ? withUser.username() : withUser.value();
@@ -60,9 +65,14 @@ else if (!(withUser.roles().length == 1 && "USER".equals(withUser.roles()[0])))
 		User principal = new User(username, withUser.password(), true, true, true, true, grantedAuthorities);
 		Authentication authentication = UsernamePasswordAuthenticationToken.authenticated(principal,
 				principal.getPassword(), principal.getAuthorities());
-		SecurityContext context = SecurityContextHolder.createEmptyContext();
+		SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();
 		context.setAuthentication(authentication);
 		return context;
 	}
 
+	@Autowired(required = false)
+	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 }

test/src/main/java/org/springframework/security/test/context/support/WithSecurityContextTestExecutionListener.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2018 the original author or authors.
+ * Copyright 2002-2022 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -21,12 +21,16 @@
 import java.util.function.Supplier;
 
 import org.springframework.beans.BeanUtils;
+import org.springframework.context.ApplicationContext;
 import org.springframework.core.GenericTypeResolver;
 import org.springframework.core.annotation.AnnotatedElementUtils;
 import org.springframework.core.annotation.AnnotationUtils;
+import org.springframework.core.convert.converter.Converter;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.test.context.TestSecurityContextHolder;
+import org.springframework.security.test.context.TestSecurityContextHolderStrategyAdapter;
 import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors;
 import org.springframework.test.context.TestContext;
 import org.springframework.test.context.TestContextAnnotationUtils;
@@ -53,6 +57,19 @@ public class WithSecurityContextTestExecutionListener extends AbstractTestExecut
 	static final String SECURITY_CONTEXT_ATTR_NAME = WithSecurityContextTestExecutionListener.class.getName()
 			.concat(".SECURITY_CONTEXT");
 
+	static final SecurityContextHolderStrategy DEFAULT_SECURITY_CONTEXT_HOLDER_STRATEGY = new TestSecurityContextHolderStrategyAdapter();
+
+	Converter<TestContext, SecurityContextHolderStrategy> securityContextHolderStrategyConverter = (testContext) -> {
+		if (!testContext.hasApplicationContext()) {
+			return DEFAULT_SECURITY_CONTEXT_HOLDER_STRATEGY;
+		}
+		ApplicationContext context = testContext.getApplicationContext();
+		if (context.getBeanNamesForType(SecurityContextHolderStrategy.class).length == 0) {
+			return DEFAULT_SECURITY_CONTEXT_HOLDER_STRATEGY;
+		}
+		return context.getBean(SecurityContextHolderStrategy.class);
+	};
+
 	/**
 	 * Sets up the {@link SecurityContext} for each test method. First the specific method
 	 * is inspected for a {@link WithSecurityContext} or {@link Annotation} that has
@@ -70,7 +87,7 @@ public void beforeTestMethod(TestContext testContext) {
 		}
 		Supplier<SecurityContext> supplier = testSecurityContext.getSecurityContextSupplier();
 		if (testSecurityContext.getTestExecutionEvent() == TestExecutionEvent.TEST_METHOD) {
-			TestSecurityContextHolder.setContext(supplier.get());
+			this.securityContextHolderStrategyConverter.convert(testContext).setContext(supplier.get());
 		}
 		else {
 			testContext.setAttribute(SECURITY_CONTEXT_ATTR_NAME, supplier);
@@ -86,7 +103,7 @@ public void beforeTestExecution(TestContext testContext) {
 		Supplier<SecurityContext> supplier = (Supplier<SecurityContext>) testContext
 				.removeAttribute(SECURITY_CONTEXT_ATTR_NAME);
 		if (supplier != null) {
-			TestSecurityContextHolder.setContext(supplier.get());
+			this.securityContextHolderStrategyConverter.convert(testContext).setContext(supplier.get());
 		}
 	}
 
@@ -166,7 +183,7 @@ private WithSecurityContextFactory<? extends Annotation> createFactory(WithSecur
 	 */
 	@Override
 	public void afterTestMethod(TestContext testContext) {
-		TestSecurityContextHolder.clearContext();
+		this.securityContextHolderStrategyConverter.convert(testContext).clearContext();
 	}
 
 	/**

test/src/main/java/org/springframework/security/test/context/support/WithUserDetailsSecurityContextFactory.java

@@ -24,6 +24,7 @@
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.core.userdetails.UserDetailsService;
@@ -45,6 +46,9 @@ final class WithUserDetailsSecurityContextFactory implements WithSecurityContext
 	private static final boolean reactorPresent = ClassUtils.isPresent("reactor.core.publisher.Mono",
 			WithUserDetailsSecurityContextFactory.class.getClassLoader());
 
+	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
+			.getContextHolderStrategy();
+
 	private BeanFactory beans;
 
 	@Autowired
@@ -61,11 +65,16 @@ public SecurityContext createSecurityContext(WithUserDetails withUser) {
 		UserDetails principal = userDetailsService.loadUserByUsername(username);
 		Authentication authentication = UsernamePasswordAuthenticationToken.authenticated(principal,
 				principal.getPassword(), principal.getAuthorities());
-		SecurityContext context = SecurityContextHolder.createEmptyContext();
+		SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();
 		context.setAuthentication(authentication);
 		return context;
 	}
 
+	@Autowired(required = false)
+	void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
+		this.securityContextHolderStrategy = securityContextHolderStrategy;
+	}
+
 	private UserDetailsService findUserDetailsService(String beanName) {
 		if (reactorPresent) {
 			UserDetailsService reactive = findAndAdaptReactiveUserDetailsService(beanName);

test/src/main/java/org/springframework/security/test/web/servlet/request/SecurityMockMvcRequestPostProcessors.java

@@ -55,6 +55,7 @@
 import org.springframework.security.core.authority.SimpleGrantedAuthority;
 import org.springframework.security.core.context.SecurityContext;
 import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.User;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.oauth2.client.OAuth2AuthorizeRequest;
@@ -85,6 +86,7 @@
 import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
 import org.springframework.security.oauth2.server.resource.introspection.OAuth2IntrospectionAuthenticatedPrincipal;
 import org.springframework.security.test.context.TestSecurityContextHolder;
+import org.springframework.security.test.context.TestSecurityContextHolderStrategyAdapter;
 import org.springframework.security.test.web.servlet.setup.SecurityMockMvcConfigurers;
 import org.springframework.security.test.web.support.WebTestUtils;
 import org.springframework.security.web.context.HttpRequestResponseHolder;
@@ -115,6 +117,8 @@
  */
 public final class SecurityMockMvcRequestPostProcessors {
 
+	private static final SecurityContextHolderStrategy DEFAULT_SECURITY_CONTEXT_HOLDER_STRATEGY = new TestSecurityContextHolderStrategyAdapter();
+
 	private SecurityMockMvcRequestPostProcessors() {
 	}
 
@@ -455,6 +459,18 @@ public static OAuth2ClientRequestPostProcessor oauth2Client(String registrationI
 		return new OAuth2ClientRequestPostProcessor(registrationId);
 	}
 
+	private static SecurityContextHolderStrategy getSecurityContextHolderStrategy(HttpServletRequest request) {
+		WebApplicationContext context = WebApplicationContextUtils
+				.findWebApplicationContext(request.getServletContext());
+		if (context == null) {
+			return DEFAULT_SECURITY_CONTEXT_HOLDER_STRATEGY;
+		}
+		if (context.getBeanNamesForType(SecurityContextHolderStrategy.class).length == 0) {
+			return DEFAULT_SECURITY_CONTEXT_HOLDER_STRATEGY;
+		}
+		return context.getBean(SecurityContextHolderStrategy.class);
+	}
+
 	/**
 	 * Populates the X509Certificate instances onto the request
 	 */
@@ -710,7 +726,7 @@ private abstract static class SecurityContextRequestPostProcessorSupport {
 		 * @param request the {@link HttpServletRequest} to use
 		 */
 		final void save(Authentication authentication, HttpServletRequest request) {
-			SecurityContext securityContext = SecurityContextHolder.createEmptyContext();
+			SecurityContext securityContext = getSecurityContextHolderStrategy(request).createEmptyContext();
 			securityContext.setAuthentication(authentication);
 			save(securityContext, request);
 		}
@@ -790,17 +806,17 @@ private static SecurityContext getContext(HttpServletRequest request) {
 	private static final class TestSecurityContextHolderPostProcessor extends SecurityContextRequestPostProcessorSupport
 			implements RequestPostProcessor {
 
-		private SecurityContext EMPTY = SecurityContextHolder.createEmptyContext();
-
 		@Override
 		public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
 			// TestSecurityContextHolder is only a default value
 			SecurityContext existingContext = TestSecurityContextRepository.getContext(request);
 			if (existingContext != null) {
 				return request;
 			}
-			SecurityContext context = TestSecurityContextHolder.getContext();
-			if (!this.EMPTY.equals(context)) {
+			SecurityContextHolderStrategy strategy = getSecurityContextHolderStrategy(request);
+			SecurityContext empty = strategy.createEmptyContext();
+			SecurityContext context = strategy.getContext();
+			if (!empty.equals(context)) {
 				save(context, request);
 			}
 			return request;
@@ -851,7 +867,7 @@ private AuthenticationRequestPostProcessor(Authentication authentication) {
 
 		@Override
 		public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
-			SecurityContext context = SecurityContextHolder.createEmptyContext();
+			SecurityContext context = getSecurityContextHolderStrategy(request).createEmptyContext();
 			context.setAuthentication(this.authentication);
 			save(this.authentication, request);
 			return request;
@@ -869,7 +885,7 @@ public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request)
 	 */
 	private static final class UserDetailsRequestPostProcessor implements RequestPostProcessor {
 
-		private final RequestPostProcessor delegate;
+		private final AuthenticationRequestPostProcessor delegate;
 
 		UserDetailsRequestPostProcessor(UserDetails user) {
 			Authentication token = UsernamePasswordAuthenticationToken.authenticated(user, user.getPassword(),