Skip to content

SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter #12579

New issue
New issue
Closed
Closed
SessionManagementConfigurer ignores custom SecurityContextRepository for SessionManagementFilter#12579
Assignees
jzheaux
Labels
in: configAn issue in spring-security-configtype: bugA general bug
Milestone
 
6.0.2
@m-ibot

Description

@m-ibot
m-ibot
opened on Jan 24, 2023

Describe the bug

A custom SecurityContextRepository that is configured for a SecurityFilterChain will be ignored by SessionManagementConfigurer/SessionManagementFilter. Instead the SessionManagementFilter uses the default HttpSessionSecurityContextRepository.

This happens in Spring Security 6.0.x. The issue did not appear in Spring Security 5.7.x.

The SessionManagementFilter is created when the method SessionManagementConfigurer#configure(H http) is called (see here).

In Spring Security 5.7.x the SecurityContextRepository is determined by calling http.getSharedObject(SecurityContextRepository.class).

SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository, getSessionAuthenticationStrategy(http));
// ....

In Spring Security 6.0.x this behavior changed. this.sessionManagementSecurityContextRepository is passed for the SessionManagementFilter constructor.
See SessionManagementConfigurer

SecurityContextRepository securityContextRepository = this.sessionManagementSecurityContextRepository;
SessionManagementFilter sessionManagementFilter = new SessionManagementFilter(securityContextRepository, getSessionAuthenticationStrategy(http));

The default value for this.sessionManagementSecurityContextRepository is new HttpSessionSecurityContextRepository(). This value is only overwritten in SessionManagementConfigurer#init(H http) (see here). But NOT, if SecurityContextRepository from http.getSharedObject(SecurityContextRepository.class) is null

SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
	boolean stateless = isStateless();
	if (securityContextRepository == null) {
		// this.sessionManagementSecurityContextRepository is set
	}
	// No else case, where
	// this.sessionManagementSecurityContextRepository = securityContextRepository;

To Reproduce

Set a custom SecurityContextRepository in a SecurityFilterChain:

  @Bean
  public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.ALWAYS)
        .and()
        .securityContext().securityContextRepository(new MySecurityContextRepositoryImpl()); // <- set custom SecurityContextRepository
    return http.build();
  }

Unfortunately, this setting does not have any affect on SessionManagementFilter.

Expected behavior
The custom SecurityContextRepository is passed to SessionManagementFilter's constructor.

Metadata

Metadata

Assignees

Labels

in: configAn issue in spring-security-configtype: bugA general bug

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions