flow
flow copied to clipboard
vaadin
Obtain SecurityContext from the SecurityContextHolderStrategy bean
This fixes #21401 by providing a SecurityContextHolderStrategy bean as part of Spring Security auto-configuration and replaces static invocations of SecurityContextHolder.getContext() by using the strategy bean instead.
- [x] Provide
SecurityContextHolderStrategyinSpringSecurityAutoConfiguration - [x] Remove conflicting
VaadinAwareSecurityContextHolderStrategyConfiguration - [x] Set the strategy on filters during
VaadinSecurityConfigurerbuild lifecycle - [x] Set the strategy statically when using
VaadinWebSecurityfor backwards compatibility - [x] Inject the strategy bean in
AuthenticationContextandSpringAccessPathChecker - [x] Deprecate constructors that obtain the strategy statically
- [ ] Avoid static access in
AuthenticationUtilmethods - [ ] Update tests
Breaking changes
VaadinAwareSecurityContextHolderStrategyConfigurationhas been removed — mild since it was purely for internal useSpringSecurityAutoConfiguration::accessPatchCheckersignature has changed to include the strategy parameter — mild since this class shouldn't be extended (better have package-private bean methods)- Applications that have set a custom strategy statically after
VaadinAwareSecurityContextHolderStrategyConfigurationmight expect that custom strategy to be used by Flow, instead of the bean — those apps should now provide the custom strategy as a bean (if they expect Flow to use it)
DRAFT Tests setting the strategy statically must be updated (some already are)
Test Results
1 281 files ± 0 1 281 suites ±0 1h 17m 14s ⏱️ -1s 8 877 tests + 1 8 810 ✅ + 1 67 💤 ±0 0 ❌ ±0 9 322 runs - 12 9 247 ✅ - 10 75 💤 - 2 0 ❌ ±0
Results for commit 0e328e81. ± Comparison against base commit ee5139eb.
:recycle: This comment has been updated with latest results.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Quality Gate passed
Issues
483 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarQube Cloud
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}
One missing part: restore and deprecate VaadinAwareSecurityContextHolderStrategyConfiguration
This PR can be revised after VaadinWebSecurity removal gets merged.
Quality Gate passed
Issues
600 New issues
0 Accepted issues
Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code
See analysis details on SonarQube Cloud
Closing this in favor of an incremental approach and a proper deprecation cycle of the static accessor to the holder strategy, with #22745 as a starting point.