Examples of org.springframework.security.core.context.SecurityContext

• org.springframework.security.core.context.SecurityContext
  Interface defining the minimum security information associated with the current thread of execution.

  The security context is stored in a {@link SecurityContextHolder}.

  @author Ben Alex

    public void traverseWrappedRequests() {
        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
        MockHttpServletRequest request = new MockHttpServletRequest();
        MockHttpServletResponse response = new MockHttpServletResponse();
        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
        SecurityContext context = repo.loadContext(holder);
        assertNull(request.getSession(false));
        // Simulate authentication during the request
        context.setAuthentication(testToken);

        repo.saveContext(context, new HttpServletRequestWrapper(holder.getRequest()), new HttpServletResponseWrapper(holder.getResponse()));

        assertNotNull(request.getSession(false));
        assertEquals(context, request.getSession().getAttribute(SPRING_SECURITY_CONTEXT_KEY));

    @Test(expected = IllegalStateException.class)
    public void failsWithStandardResponse() {
        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
        MockHttpServletRequest request = new MockHttpServletRequest();
        MockHttpServletResponse response = new MockHttpServletResponse();
        SecurityContext context = SecurityContextHolder.createEmptyContext();
        context.setAuthentication(testToken);

        repo.saveContext(context,request,response);
    }

        } else {
            if (debug) {
                logger.debug("Switching to RunAs Authentication: " + runAs);
            }

            SecurityContext origCtx = SecurityContextHolder.getContext();
            SecurityContextHolder.setContext(SecurityContextHolder.createEmptyContext());
            SecurityContextHolder.getContext().setAuthentication(runAs);

            // need to revert to token.Authenticated post-invocation
            return new InterceptorStatusToken(origCtx, true, attributes, object);

    // SEC-1967
    @Test
    @SuppressWarnings("unchecked")
    public void finallyInvocationIsInvokedIfExceptionThrown() throws Exception {
        SecurityContext ctx = SecurityContextHolder.getContext();
        Authentication token = new TestingAuthenticationToken("Test", "Password", "NOT_USED");
        token.setAuthenticated(true);
        ctx.setAuthentication(token);

        RunAsManager runAsManager = mock(RunAsManager.class);
        when(runAsManager.buildRunAs(eq(token), any(), anyCollection())).thenReturn(new RunAsUserToken("key", "someone", "creds", token.getAuthorities(), token.getClass()));
        interceptor.setRunAsManager(runAsManager);

        Object user = message.getHeaders().get(authenticationHeaderName);
        if(!(user instanceof Authentication)) {
            return;
        }
        Authentication authentication = (Authentication) user;
        SecurityContext context = SecurityContextHolder.createEmptyContext();
        context.setAuthentication(authentication);
        SecurityContextHolder.setContext(context);
    }

    private Authentication getAuthentication() {
        if(authentication != null) {
            return authentication;
        }

        SecurityContext context = SecurityContextHolder.getContext();
        return context.getAuthentication();
    }

    public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder) {
        HttpServletRequest request = requestResponseHolder.getRequest();
        HttpServletResponse response = requestResponseHolder.getResponse();
        HttpSession httpSession = request.getSession(false);

        SecurityContext context = readSecurityContextFromSession(httpSession);

        if (context == null) {
            if (logger.isDebugEnabled()) {
                logger.debug("No SecurityContext was available from the HttpSession: " + httpSession +". " +
                        "A new one will be created.");

                logger.debug("Eagerly created session: " + session.getId());
            }
        }

        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
        SecurityContext contextBeforeChainExecution = repo.loadContext(holder);

        try {
            SecurityContextHolder.setContext(contextBeforeChainExecution);

            chain.doFilter(holder.getRequest(), holder.getResponse());

        } finally {
            SecurityContext contextAfterChainExecution = SecurityContextHolder.getContext();
            // Crucial removal of SecurityContextHolder contents - do this before anything else.
            SecurityContextHolder.clearContext();
            repo.saveContext(contextAfterChainExecution, holder.getRequest(), holder.getResponse());
            request.removeAttribute(FILTER_APPLIED);

        request = new MockHttpServletRequest();
        response = new MockHttpServletResponse();

        handler = new SecurityContextLogoutHandler();

        SecurityContext context = SecurityContextHolder.createEmptyContext();
        context.setAuthentication(new TestingAuthenticationToken("user", "password", AuthorityUtils.createAuthorityList("ROLE_USER")));
        SecurityContextHolder.setContext(context);
    }

    }

    // SEC-2025
    @Test
    public void clearsAuthentication() {
        SecurityContext beforeContext = SecurityContextHolder.getContext();
        handler.logout(request, response, SecurityContextHolder.getContext().getAuthentication());
        assertNull(beforeContext.getAuthentication());
    }