spring-security icon indicating copy to clipboard operation
spring-security copied to clipboard
verified publisher icon spring-projects

Default use of RequestAttributeSecurityContextRepository instead of NullSecurityContextRepository

Open rwinch opened this issue 3 years ago • 2 comments

Rather than totally ignoring saving the SecurityContext we should place it on the request as a request attribute to ensure that other dispatch types work properly.

Related gh-10918

rwinch avatar Mar 25 '22 15:03 rwinch

How to use RequestAttributeSecurityContextRepository if it doesn't create SecurityContextHolder.createEmptyContext() because RequestAttributeSecurityContextRepository#loadContext(HttpServletRequest) is called instead of loadContext(HttpRequestResponseHolder); and an exception will be thrown if the SecurityContextHolderFilter calls SecurityContextHolder.setContext(null): "Only non-null SecurityContext instances are allowed"?

Expect loadContext(HttpServletRequest) to return SecurityContextHolder.createEmptyContext() if request.getAttribute() == null

Reproduced at https://github.com/spring-projects/spring-security/releases/tag/5.7.1

akovalyev avatar Jun 01 '22 09:06 akovalyev

Hi @akovalyev, I think that your scenario is a bug, I create this ticket to track that.

marcusdacoregio avatar Jul 21 '22 14:07 marcusdacoregio