Add test support for SecurityContextHolderFilter

Issue gh-9635

Author: rwinch

test/src/main/java/org/springframework/security/test/web/support/WebTestUtils.java

@@ -85,6 +85,10 @@ public static void setSecurityContextRepository(HttpServletRequest request,
 		if (filter != null) {
 			ReflectionTestUtils.setField(filter, "repo", securityContextRepository);
 		}
+		SecurityContextHolderFilter holderFilter = findFilter(request, SecurityContextHolderFilter.class);
+		if (holderFilter != null) {
+			ReflectionTestUtils.setField(holderFilter, "securityContextRepository", securityContextRepository);
+		}
 	}
 
 	/**

test/src/test/java/org/springframework/security/test/web/support/WebTestUtilsTests.java

@@ -24,6 +24,7 @@
 import org.mockito.junit.jupiter.MockitoExtension;
 
 import org.springframework.context.ConfigurableApplicationContext;
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.mock.web.MockHttpServletRequest;
 import org.springframework.security.config.BeanIds;
@@ -33,6 +34,7 @@
 import org.springframework.security.web.DefaultSecurityFilterChain;
 import org.springframework.security.web.FilterChainProxy;
 import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextHolderFilter;
 import org.springframework.security.web.context.SecurityContextPersistenceFilter;
 import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.security.web.csrf.CsrfFilter;
@@ -43,6 +45,7 @@
 import org.springframework.web.context.support.AnnotationConfigWebApplicationContext;
 
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.mockito.Mockito.mock;
 
 @ExtendWith(MockitoExtension.class)
 public class WebTestUtilsTests {
@@ -126,6 +129,19 @@ public void getSecurityContextRepositorySecurityCustomRepo() {
 		assertThat(WebTestUtils.getSecurityContextRepository(this.request)).isSameAs(this.contextRepo);
 	}
 
+	@Test
+	public void setSecurityContextRepositoryWhenSecurityContextHolderFilter() {
+		SecurityContextRepository expectedRepository = mock(SecurityContextRepository.class);
+		loadConfig(SecurityContextHolderFilterConfig.class);
+		// verify our configuration sets up to have SecurityContextHolderFilter and not
+		// SecurityContextPersistenceFilter
+		assertThat(WebTestUtils.findFilter(this.request, SecurityContextPersistenceFilter.class)).isNull();
+		assertThat(WebTestUtils.findFilter(this.request, SecurityContextHolderFilter.class)).isNotNull();
+
+		WebTestUtils.setSecurityContextRepository(this.request, expectedRepository);
+		assertThat(WebTestUtils.getSecurityContextRepository(this.request)).isSameAs(expectedRepository);
+	}
+
 	// gh-3343
 	@Test
 	public void findFilterNoMatchingFilters() {
@@ -220,4 +236,18 @@ static class SecurityConfigWithDefaults extends WebSecurityConfigurerAdapter {
 
 	}
 
+	@EnableWebSecurity
+	static class SecurityContextHolderFilterConfig {
+
+		@Bean
+		DefaultSecurityFilterChain springSecurityFilter(HttpSecurity http) throws Exception {
+			// @formatter:off
+			http
+				.securityContext((securityContext) -> securityContext.requireExplicitSave(true));
+			// @formatter:on
+			return http.build();
+		}
+
+	}
+
 }