Polish X509 SecurityContextRepository

jzheaux · jzheaux · commit 64542b40598a · 2023-04-18T12:18:20.000-06:00
Like Basic and Bearer authentication, X509 is stateless by default. As such, it is better to not pick up the global SecurityContextRepository bean. The better fix is to change the default from HttpSessionSecurityContextRepository to RequestAttributeSecurityContextRepository. Issue gh-13008
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/X509Configurer.java
@@ -17,7 +17,6 @@
 package org.springframework.security.config.annotation.web.configurers;
 
 import jakarta.servlet.http.HttpServletRequest;
-
 import org.springframework.beans.factory.NoSuchBeanDefinitionException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.security.authentication.AuthenticationDetailsSource;
@@ -36,7 +35,7 @@
 import org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor;
 import org.springframework.security.web.authentication.preauth.x509.X509AuthenticationFilter;
 import org.springframework.security.web.authentication.preauth.x509.X509PrincipalExtractor;
-import org.springframework.security.web.context.SecurityContextRepository;
+import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
 
 /**
  * Adds X509 based pre authentication to an application. Since validating the certificate
@@ -193,13 +192,7 @@ private X509AuthenticationFilter getFilter(AuthenticationManager authenticationM
 			if (this.authenticationDetailsSource != null) {
 				this.x509AuthenticationFilter.setAuthenticationDetailsSource(this.authenticationDetailsSource);
 			}
-			SecurityContextConfigurer<?> securityContextConfigurer = http
-					.getConfigurer(SecurityContextConfigurer.class);
-			if (securityContextConfigurer != null && securityContextConfigurer.isRequireExplicitSave()) {
-				SecurityContextRepository securityContextRepository = securityContextConfigurer
-						.getSecurityContextRepository();
-				this.x509AuthenticationFilter.setSecurityContextRepository(securityContextRepository);
-			}
+			this.x509AuthenticationFilter.setSecurityContextRepository(new RequestAttributeSecurityContextRepository());
 			this.x509AuthenticationFilter.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
 			this.x509AuthenticationFilter = postProcess(this.x509AuthenticationFilter);
 		}
