search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.55k stars 5.79k forks source link

Security Context is not updating #15217

Closed armorcodehemant closed 1 day ago

armorcodehemant commented 2 weeks ago

I have a URI that updates authenticated user's context now when user only calls this URI it is working as expected but when 2-3 other APIs are called followed by this URI it does not update the Context

this same use case was working when we were on Spring Boot 2.x.x with which we have used Spring Security 5.x.x with Redis this problem started coming after we move to Spring Boot 3.2.x with Spring Security 6.2.3 with Redis

my security context setting 

        http.securityContext((securityContext) -> {
            securityContext.securityContextRepository(new HttpSessionSecurityContextRepository());
            securityContext.requireExplicitSave(false);
        });
public void setGlobalFilterConfig(GlobalFilterDto globalFilterDto) {
        SecurityContext context = SecurityContextHolder.getContext();
        LocalUser localUser = (LocalUser) context.getAuthentication().getPrincipal();
        Collection<GrantedAuthority> authorities = localUser.getAuthorities();
        localUser.getUser().setGlobalFilterDto(globalFilterDto);
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        LocalUser localUser = (LocalUser) principal;
        localUser.setUser(user);
        Authentication newAuth = new UsernamePasswordAuthenticationToken(localUser,
                auth.getCredentials(),
                authorities);
        SecurityContextHolder.getContext().setAuthentication(newAuth);
    }

I tried to set securityContext.requireExplicitSave(true); with this setting I have manually update the context Using org.springframework.security.web.context.SecurityContextRepository.saveContext(req,res,auth) and also tried Changing FLUSH_MODE to IMMEDIATE in @EnableRedisIndexedHttpSession from ON_SAVE both did not worked.

any specific change i need to take care with updated Spring security or this is expected behaviour

marcusdacoregio commented 2 weeks ago

Hi, @armorcodehemant. Since Spring Security 6.0 you must save the SecurityContext manually by calling the SecurityContextRepository, please see https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#requireexplicitsave.

It seems that there is multiple things going on as you are mentioning both Spring Security and Spring Session APIs. If you really think it is a bug after reading the docs I linked above, can you please provide a minimal, reproducible sample, where ideally you are using only Spring Security so we can verify the behavior?

armorcodehemant commented 2 weeks ago

@marcusdacoregio I am using securityContext.requireExplicitSave(false) So it should set up SecurityContextPersistenceFilter if so it should have worked with out manually saving the context

marcusdacoregio commented 2 weeks ago

Can you please provide a reproducible sample?

spring-projects-issues commented 1 week ago

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues commented 1 day ago

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.