spring-projects · jzheaux · Aug 10, 2019 · Aug 9, 2019
diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -972,6 +972,8 @@ public class OAuth2LoginSpec {
 
 		private ReactiveAuthenticationManager authenticationManager;
 
+		private ServerSecurityContextRepository securityContextRepository = new WebSessionServerSecurityContextRepository();
+
 		private ServerAuthenticationConverter authenticationConverter;
 
 		private ServerOAuth2AuthorizationRequestResolver authorizationRequestResolver;
@@ -993,6 +995,19 @@ public OAuth2LoginSpec authenticationManager(ReactiveAuthenticationManager authe
 			return this;
 		}
 
+		/**
+		 * The {@link ServerSecurityContextRepository} used to save the {@code Authentication}. Defaults to
+		 * {@link WebSessionServerSecurityContextRepository}.
+		 *
+		 * @since 5.2
+		 * @param securityContextRepository the repository to use
+		 * @return the {@link OAuth2LoginSpec} to continue configuring
+		 */
+		public OAuth2LoginSpec securityContextRepository(ServerSecurityContextRepository securityContextRepository) {
+			this.securityContextRepository = securityContextRepository;
+			return this;
+		}
+
 		/**
 		 * The {@link ServerAuthenticationSuccessHandler} used after authentication success. Defaults to
 		 * {@link RedirectServerAuthenticationSuccessHandler} redirecting to "/".
@@ -1138,7 +1153,7 @@ protected void configure(ServerHttpSecurity http) {
 
 			authenticationFilter.setAuthenticationSuccessHandler(this.authenticationSuccessHandler);
 			authenticationFilter.setAuthenticationFailureHandler(this.authenticationFailureHandler);
-			authenticationFilter.setSecurityContextRepository(new WebSessionServerSecurityContextRepository());
+			authenticationFilter.setSecurityContextRepository(this.securityContextRepository);
 
 			MediaTypeServerWebExchangeMatcher htmlMatcher = new MediaTypeServerWebExchangeMatcher(
 					MediaType.TEXT_HTML);

diff --git a/config/src/test/java/org/springframework/security/config/web/server/OAuth2LoginTests.java b/config/src/test/java/org/springframework/security/config/web/server/OAuth2LoginTests.java
@@ -426,6 +426,9 @@ public void oauth2LoginWhenCustomBeansThenUsed() {
 		ServerAuthenticationConverter converter = config.authenticationConverter;
 		when(converter.convert(any())).thenReturn(Mono.just(token));
 
+		ServerSecurityContextRepository securityContextRepository = config.securityContextRepository;
+		when(securityContextRepository.save(any(), any())).thenReturn(Mono.empty());
+
 		Map<String, Object> additionalParameters = new HashMap<>();
 		additionalParameters.put(OidcParameterNames.ID_TOKEN, "id-token");
 		OAuth2AccessTokenResponse accessTokenResponse = OAuth2AccessTokenResponse.withToken(accessToken.getTokenValue())
@@ -447,6 +450,7 @@ public void oauth2LoginWhenCustomBeansThenUsed() {
 
 		verify(config.jwtDecoderFactory).createDecoder(any());
 		verify(tokenResponseClient).getTokenResponse(any());
+		verify(securityContextRepository).save(any(), any());
 	}
 
 	@Configuration
@@ -461,6 +465,8 @@ static class OAuth2LoginWithCustomBeansConfig {
 
 		ReactiveJwtDecoderFactory<ClientRegistration> jwtDecoderFactory = spy(new JwtDecoderFactory());
 
+		ServerSecurityContextRepository securityContextRepository = mock(ServerSecurityContextRepository.class);
+
 		@Bean
 		public SecurityWebFilterChain springSecurityFilter(ServerHttpSecurity http) {
 			// @formatter:off
@@ -470,7 +476,8 @@ public SecurityWebFilterChain springSecurityFilter(ServerHttpSecurity http) {
 					.and()
 				.oauth2Login()
 					.authenticationConverter(authenticationConverter)
-					.authenticationManager(authenticationManager());
+					.authenticationManager(authenticationManager())
+					.securityContextRepository(securityContextRepository);
 			return http.build();
 			// @formatter:on
 		}