diff --git a/pom.xml b/pom.xml index e414b150c3..26caf8ea30 100644 --- a/pom.xml +++ b/pom.xml @@ -58,12 +58,12 @@ 3.2.1 3.2.5 - 6.1.6 + 6.1.7 6.2.4 2.5.2.RELEASE 1.1.1.RELEASE 12.0.7 - 3.6.5 + 3.6.6 2.23.1 2.0.13 20240303 @@ -80,7 +80,7 @@ 5.12.0 3.25.3 3.5.4 - 3.6.5 + 3.6.6 1.3.2 4.8.5 4.8.5.0 @@ -385,7 +385,7 @@ org.owasp dependency-check-maven - 9.1.0 + 9.2.0 diff --git a/spring-security-starter/src/main/resources/META-INF/spring.factories b/spring-security-starter/src/main/resources/META-INF/spring.factories new file mode 100644 index 0000000000..83dd57bb99 --- /dev/null +++ b/spring-security-starter/src/main/resources/META-INF/spring.factories @@ -0,0 +1,2 @@ +org.springframework.boot.env.EnvironmentPostProcessor=\ +com.sap.cloud.security.spring.autoconfig.SecurityContextEnvironmentPostProcessor diff --git a/spring-security-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports b/spring-security-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports index 18a9e220dc..7aea67371f 100644 --- a/spring-security-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports +++ b/spring-security-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports @@ -1,4 +1,3 @@ com.sap.cloud.security.spring.autoconfig.HybridIdentityServicesAutoConfiguration com.sap.cloud.security.spring.autoconfig.HybridAuthorizationAutoConfiguration com.sap.cloud.security.spring.autoconfig.XsuaaTokenFlowAutoConfiguration -com.sap.cloud.security.spring.autoconfig.SecurityContextAutoConfiguration \ No newline at end of file diff --git a/spring-security/README.md b/spring-security/README.md index 9830939676..3e589dde49 100644 --- a/spring-security/README.md +++ b/spring-security/README.md @@ -84,7 +84,7 @@ In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/ | [HybridAuthorizationAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridAuthorizationAutoConfiguration.java) | Creates a converter ([XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java)) that removes the XSUAA application identifier from the scope names, allowing local scope checks to be performed using [Spring's common built-in expression](https://docs.spring.io/spring-security/site/docs/current/reference/html5/#el-common-built-in) `hasAuthority`. Supports only single Xsuaa binding | | [HybridIdentityServicesAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/HybridIdentityServicesAutoConfiguration.java) | Configures a `JwtDecoder` which is able to decode and validate tokens from Xsuaa and/or Identity service
Furthermore it registers `IdentityServiceConfiguration` and optionally `XsuaaServiceConfiguration`, that allow overriding the identity service configurations found in the service bindings (via `identity.*` and `xsuaa.*` properties). | | [XsuaaTokenFlowAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/XsuaaTokenFlowAutoConfiguration.java) | Configures an `XsuaaTokenFlows` bean to fetch the XSUAA tokens. Starting with `2.10.0` version it supports X.509 based authentication | -| [SecurityContextAutoConfiguration](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java) | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync | +| [SecurityContextEnvironmentPostProcessor](./src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java) | Configures [`JavaSecurityContextHolderStrategy`](./src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java) to be used as `SecurityContextHolderStrategy` to keep the `com.sap.cloud.security.token.SecurityContext` in sync | #### Autoconfiguration properties | Autoconfiguration property | Default value | Description | @@ -96,7 +96,7 @@ In addition, a bean of type [XsuaaTokenFlows](../token-client/src/main/java/com/ You can gradually replace auto-configurations as explained [here](https://docs.spring.io/spring-boot/docs/current/reference/html/using-boot-auto-configuration.html). #### Multiple Xsuaa configurations -:warning: In case of multiple Xsuaa configurations, the [XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java) bean is not autoconfigured. +:warning: In case of multiple Xsuaa configurations, the [XsuaaTokenAuthorizationConverter](./src/main/java/com/sap/cloud/security/spring/token/authentication/XsuaaTokenAuthorizationConverter.java) bean is not autoconfigured. The bean needs to be created manually based on the service configuration you want the converter to be initialized with. For example, to create a converter that removes the application identifier of the *first* XSUAA configuration from the scope names, you could create the following bean: @@ -122,7 +122,7 @@ This is an example how to configure your application as Spring Security OAuth 2. @EnableWebSecurity @PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = { "" }) public class SecurityConfiguration extends WebSecurityConfigurerAdapter { - + @Autowired Converter authConverter; // only required for XSUAA @@ -141,11 +141,11 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter { } ``` -> :bulb: Please note that the autoconfigured authentication converter only supports ```hasAuthority```-checks for scopes provided with the Xsuaa access token. +> :bulb: Please note that the autoconfigured authentication converter only supports ```hasAuthority```-checks for scopes provided with the Xsuaa access token. > In case you need to consider authorizations provided via an OIDC token from IAS you need to provide your own converter instead. #### Custom Authorization Converter -You may want to configure the security chain with your own Authorization Converter by implementing the `Converter` interface. +You may want to configure the security chain with your own Authorization Converter by implementing the `Converter` interface. Here is an example implementation that provides authorities based on Identity service groups. The leading prefix "IASAUTHZ_" is removed for easier authorization checks.\ The implementation delegates to the default `authConverter` in case of an Xsuaa access token. @@ -284,11 +284,11 @@ public class Listener { @Autowired JwtDecoder jwtDecoder; - + @Autowired Converter authConverter; - + public void onEvent(String encodedToken) { if (encodedToken != null) { SpringSecurityContext.init(encodedToken, jwtDecoder, authConverter); @@ -327,15 +327,15 @@ In an `application.yml` the test configuration suitable for use with `java-secur sap.security.services: identity: clientid: sb-clientId!t0815 # SecurityTest.DEFAULT_CLIENT_ID - domains: + domains: - localhost # SecurityTest.DEFAULT_DOMAIN xsuaa: xsappname: xsapp!t0815 # SecurityTest.DEFAULT_APP_ID uaadomain: localhost # SecurityTest.DEFAULT_DOMAIN clientid: sb-clientId!t0815 # SecurityTest.DEFAULT_CLIENT_ID url: http://localhost # SecurityTest.DEFAULT_URL -``` - +``` + #### Multiple XSUAA bindings If you need to manually configure the application for more than one XSUAA service instances (e.g. one of @@ -344,9 +344,9 @@ plan `application` and another one of plan `broker`). ````yaml sap.security.services: xsuaa[0]: - ... # credentials of XSUAA of plan 'application' + ... # credentials of XSUAA of plan 'application' xsuaa[1]: - clientid: # clientid of XSUAA of plan 'broker' + clientid: # clientid of XSUAA of plan 'broker' ```` :warning: Autoconfiguration for multiple Xsuaa service instance bindings is not available for @@ -355,10 +355,10 @@ You will need to provide it manually. An example can be found [here](../samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/XsuaaAuthzConverter.java). ### Local testing -To run or debug your secured application locally you need to provide the mandatory Xsuaa or Identity service configuration attributes prior to launching the application. +To run or debug your secured application locally you need to provide the mandatory Xsuaa or Identity service configuration attributes prior to launching the application. There are two ways how to provide the service configuration to your Spring Boot application: -1. As Spring properties in `application.yaml` or `application.properties` files - +1. As Spring properties in `application.yaml` or `application.properties` files + The security library requires the following key value pairs to start successfully: - For Xsuaa ```yaml @@ -374,33 +374,33 @@ There are two ways how to provide the service configuration to your Spring Boot sap.security.services: identity: clientid: sb-clientId!t0815 # SecurityTest.DEFAULT_CLIENT_ID - domains: + domains: - localhost # SecurityTest.DEFAULT_DOMAIN ``` - + :bulb: The provided values above correspond with the [JwtGenerator](../java-security-test/src/main/java/com/sap/cloud/security/test/JwtGenerator.java) default values from `java-security-test` library, meaning you can generate tokens and test them with this service configuration. -2. As `VCAP_SERVICES` environment variable +2. As `VCAP_SERVICES` environment variable The value of the `VCAP_SERVICES` environment variable needs to be in the following format ```json {"xsuaa": [ { - "credentials": { + "credentials": { "clientid": "sb-clientId!t0815", - "xsappname": "xsapp!t0815", - "uaadomain": "localhost", - "url": "https://localhost" - } + "xsappname": "xsapp!t0815", + "uaadomain": "localhost", + "url": "https://localhost" + } } ] } ``` -> :bulb: To evaluate your application using an actual Identity service, you can obtain the service configuration information from the Identity or Xsuaa service instance created in the SAP BTP Cockpit. +> :bulb: To evaluate your application using an actual Identity service, you can obtain the service configuration information from the Identity or Xsuaa service instance created in the SAP BTP Cockpit. > Then, use this data to populate the application.yml or the VCAP_SERVICES environment variable. ## Troubleshooting -In case you face issues, [submit an issue on GitHub](https://github.com/SAP/cloud-security-services-integration-library/issues/new/choose) +In case you face issues, [submit an issue on GitHub](https://github.com/SAP/cloud-security-services-integration-library/issues/new/choose) and include the following details: - any security-related dependencies used including version, get maven dependency tree with `mvn dependency:tree` - [debug logs](#set-debug-log-level) @@ -446,9 +446,9 @@ Field authConverter in com.sap.cloud.test.SecurityConfiguration required a bean ``` Make sure that you have defined the following mandatory attribute in the service configuration (VCAP_SERVICES env variable or application.yaml or application.properties) - for Xsuaa - - xsappname - - uaadomain - - clientid + - xsappname + - uaadomain + - clientid - url - for Identity service - domains @@ -464,9 +464,9 @@ You will need to provide it manually. An example can be found [here](../samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/XsuaaAuthzConverter.java). ## Samples -- [Hybrid Usage](../samples/spring-security-hybrid-usage) +- [Hybrid Usage](../samples/spring-security-hybrid-usage) Demonstrates how to leverage ``spring-security`` library to secure a Spring Boot web application with tokens issued by SAP Identity service or XSUAA. Furthermore, it documents how to implement Spring WebMvcTests using `java-security-test` library. -- [Basic Auth Usage](../samples/spring-security-basic-auth) +- [Basic Auth Usage](../samples/spring-security-basic-auth) Legacy example that demonstrates how to leverage ``spring-security`` library to secure a Spring Boot web application with username/password provided via Basic Auth header. Furthermore, it documents how to implement Spring WebMvcTests using `java-security-test` library. - [Webflux Hybrid Usage](../samples/spring-webflux-security-hybrid-usage)\ Shows how to use ``spring-security`` library with both tokens issued by XSUAA and SAP Identity service in an reactive environment. diff --git a/spring-security/pom.xml b/spring-security/pom.xml index c8b5be1fe6..2394447836 100644 --- a/spring-security/pom.xml +++ b/spring-security/pom.xml @@ -22,7 +22,7 @@ com.nimbusds nimbus-jose-jwt - 9.39 + 9.39.1 org.springframework.security diff --git a/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java b/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java deleted file mode 100644 index 56ddd177f0..0000000000 --- a/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java +++ /dev/null @@ -1,68 +0,0 @@ -/** - * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors - *

- * SPDX-License-Identifier: Apache-2.0 - */ -package com.sap.cloud.security.spring.autoconfig; - -import org.springframework.beans.factory.InitializingBean; -import org.springframework.boot.autoconfigure.EnableAutoConfiguration; -import org.springframework.boot.autoconfigure.condition.ConditionalOnClass; -import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; -import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; -import org.springframework.boot.autoconfigure.condition.ConditionalOnWebApplication; -import org.springframework.boot.web.servlet.ServletContextInitializer; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.core.Ordered; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.core.context.SecurityContextHolderStrategy; - -import com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy; - -import jakarta.servlet.ServletContext; -import jakarta.servlet.ServletException; -/** - * {@link EnableAutoConfiguration} uses a - * {@link com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy}, which keeps the - * {@code com.sap.cloud.security.token.SecurityContext} in sync - * - *

- * Can be disabled with {@code @EnableAutoConfiguration(exclude={SecurityContextAutoConfiguration.class})} or with - * property {@code sap.spring.security.hybrid.auto = false}. - */ -@Configuration -@ConditionalOnProperty(name = "sap.spring.security.hybrid.auto", havingValue = "true", matchIfMissing = true) -@ConditionalOnWebApplication -@ConditionalOnClass(ServletContextInitializer.class) -public class SecurityContextAutoConfiguration { - - @Bean - @ConditionalOnMissingBean(SecurityContextHolderStrategy.class) - @ConditionalOnProperty(name = "sap.spring.security.hybrid.sync_securitycontext", havingValue = "true", matchIfMissing = true) - SecurityContextSetter securityContextSetter() { - return new SecurityContextSetter(); - } - - static class SecurityContextSetter implements InitializingBean, ServletContextInitializer, Ordered { - - @Override - public void afterPropertiesSet() throws Exception { - if (!(SecurityContextHolder.getContextHolderStrategy() instanceof JavaSecurityContextHolderStrategy)) { - SecurityContextHolder.setContextHolderStrategy(new JavaSecurityContextHolderStrategy()); - } - } - - @Override - public void onStartup(ServletContext servletContext) throws ServletException { - // empty, used to hook early into the initialization phase - } - - @Override - public int getOrder() { - return Ordered.HIGHEST_PRECEDENCE; - } - - } - -} diff --git a/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java b/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java new file mode 100644 index 0000000000..9cd19acd92 --- /dev/null +++ b/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessor.java @@ -0,0 +1,34 @@ +/** + * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors + *

+ * SPDX-License-Identifier: Apache-2.0 + */ +package com.sap.cloud.security.spring.autoconfig; + +import org.springframework.boot.SpringApplication; +import org.springframework.boot.env.EnvironmentPostProcessor; +import org.springframework.core.env.ConfigurableEnvironment; +import org.springframework.security.core.context.SecurityContextHolder; + +import com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy; +/** + * Instantiates a {@link com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy}, which keeps the + * {@code com.sap.cloud.security.token.SecurityContext} in sync + * + *

+ * Can be disabled with with property {@code sap.spring.security.hybrid.auto = false}. + */ +public class SecurityContextEnvironmentPostProcessor implements EnvironmentPostProcessor { + + @Override + public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) { + String autoConfig = environment.getProperty("sap.spring.security.hybrid.auto"); + String syncContext = environment.getProperty("sap.spring.security.hybrid.sync_securitycontext"); + if ((autoConfig == null || Boolean.valueOf(autoConfig)) && + (syncContext == null || Boolean.valueOf(syncContext)) && + !(SecurityContextHolder.getContextHolderStrategy() instanceof JavaSecurityContextHolderStrategy)) { + SecurityContextHolder.setContextHolderStrategy(new JavaSecurityContextHolderStrategy()); + } + } + +} diff --git a/spring-security/src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java b/spring-security/src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java index a5dc2ba62b..a75a0760d1 100644 --- a/spring-security/src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java +++ b/spring-security/src/main/java/com/sap/cloud/security/spring/token/authentication/JavaSecurityContextHolderStrategy.java @@ -5,19 +5,20 @@ */ package com.sap.cloud.security.spring.token.authentication; -import com.sap.cloud.security.token.Token; import org.springframework.security.core.Authentication; import org.springframework.security.core.context.SecurityContext; import org.springframework.security.core.context.SecurityContextHolderStrategy; import org.springframework.security.core.context.SecurityContextImpl; import org.springframework.util.Assert; +import com.sap.cloud.security.token.Token; + /** * This is an alternative to {@code ThreadLocalSecurityContextHolderStrategy} which keeps the * {@code com.sap.cloud.security.token.SecurityContext} in sync. * * It's included in Spring Autoconfiguration - * {@link com.sap.cloud.security.spring.autoconfig.SecurityContextAutoConfiguration} + * {@link com.sap.cloud.security.spring.autoconfig.SecurityContextEnvironmentPostProcessor} *
* * In cases when Spring Autoconfiguration is not used it can be enabled by setting the system environment variable diff --git a/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfigurationTest.java b/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfigurationTest.java deleted file mode 100644 index ea30704db7..0000000000 --- a/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfigurationTest.java +++ /dev/null @@ -1,82 +0,0 @@ -/** - * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors - *

- * SPDX-License-Identifier: Apache-2.0 - */ -package com.sap.cloud.security.spring.autoconfig; - -import static org.junit.jupiter.api.Assertions.assertEquals; -import static org.junit.jupiter.api.Assertions.assertFalse; -import static org.junit.jupiter.api.Assertions.assertNotEquals; -import static org.junit.jupiter.api.Assertions.assertNotNull; -import static org.junit.jupiter.api.Assertions.assertTrue; - -import org.junit.jupiter.api.Test; -import org.springframework.boot.autoconfigure.AutoConfigurations; -import org.springframework.boot.test.context.runner.WebApplicationContextRunner; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; -import org.springframework.security.core.context.SecurityContextHolder; -import org.springframework.security.core.context.SecurityContextHolderStrategy; - -import com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy; - -class SecurityContextAutoConfigurationTest { - - private final WebApplicationContextRunner runner = new WebApplicationContextRunner() - .withConfiguration(AutoConfigurations.of(SecurityContextAutoConfiguration.class)); - - @Test - void autoConfigurationActiveByDefault() { - runner.run(context -> { - assertNotNull(context.getBean("securityContextSetter")); - assertEquals(JavaSecurityContextHolderStrategy.class, - SecurityContextHolder.getContextHolderStrategy().getClass()); - }); - } - - @Test - void autoConfigurationDisabledByProperty() { - runner.withPropertyValues("sap.spring.security.hybrid.auto:false") - .run((context) -> assertFalse(context.containsBean("securityContextSetter"))); - } - - @Test - void autoConfigurationDisabledBySpecificProperty() { - runner.withPropertyValues("sap.spring.security.hybrid.sync_securitycontext:false") - .run((context) -> assertFalse(context.containsBean("securityContextSetter"))); - } - - @Test - void autoConfigurationEnabledByProperty() { - runner.withPropertyValues("sap.spring.security.hybrid.auto:true") - .run((context) -> assertTrue(context.containsBean("securityContextSetter"))); - } - - @Test - void autoConfigurationEnabledBySpecificProperty() { - runner.withPropertyValues("sap.spring.security.hybrid.sync_securitycontext:true") - .run((context) -> assertTrue(context.containsBean("securityContextSetter"))); - } - - @Test - void userConfigurationCanOverrideDefaultBeans() { - runner.withUserConfiguration(UserConfiguration.class) - .run((context) -> { - assertFalse(context.containsBean("securityContextSetter")); - assertNotNull(context.getBean("customStrategy", SecurityContextHolderStrategy.class)); - assertNotEquals(JavaSecurityContextHolderStrategy.class, - SecurityContextHolder.getContextHolderStrategy().getClass()); - }); - } - - @Configuration - static class UserConfiguration { - - @Bean - static SecurityContextHolderStrategy customStrategy() { - SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_THREADLOCAL); - return SecurityContextHolder.getContextHolderStrategy(); - } - } -} diff --git a/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessorTest.java b/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessorTest.java new file mode 100644 index 0000000000..c00a10cd49 --- /dev/null +++ b/spring-security/src/test/java/com/sap/cloud/security/spring/autoconfig/SecurityContextEnvironmentPostProcessorTest.java @@ -0,0 +1,64 @@ +/** + * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors + *

+ * SPDX-License-Identifier: Apache-2.0 + */ +package com.sap.cloud.security.spring.autoconfig; + +import static org.junit.jupiter.api.Assertions.assertFalse; +import static org.junit.jupiter.api.Assertions.assertTrue; + +import org.junit.jupiter.api.Test; +import org.springframework.mock.env.MockEnvironment; +import org.springframework.security.core.context.SecurityContextHolder; + +import com.sap.cloud.security.spring.token.authentication.JavaSecurityContextHolderStrategy; + +class SecurityContextEnvironmentPostProcessorTest { + + private MockEnvironment env = new MockEnvironment(); + + @Test + void securityContextStrategyActiveByDefault() { + assertStrategy(true); + } + + @Test + void securityContextStrategyDisabledByProperty() { + env.setProperty("sap.spring.security.hybrid.auto", "false"); + assertStrategy(false); + } + + @Test + void securityContextStrategyDisabledBySpecificProperty() { + env.setProperty("sap.spring.security.hybrid.sync_securitycontext", "false"); + assertStrategy(false); + } + + @Test + void securityContextStrategyEnabledByProperty() { + env.setProperty("sap.spring.security.hybrid.auto", "true"); + assertStrategy(true); + } + + @Test + void securityContextStrategyEnabledBySpecificProperty() { + env.setProperty("sap.spring.security.hybrid.sync_securitycontext", "true"); + assertStrategy(true); + } + + void assertStrategy(boolean applied) { + try { + SecurityContextHolder.setStrategyName(null); + new SecurityContextEnvironmentPostProcessor().postProcessEnvironment(env, null); + if (applied) { + assertTrue(SecurityContextHolder.getContextHolderStrategy() instanceof JavaSecurityContextHolderStrategy, "Expected custom strategy"); + } else { + assertFalse(SecurityContextHolder.getContextHolderStrategy() instanceof JavaSecurityContextHolderStrategy, "Expected default strategy"); + } + } finally { + SecurityContextHolder.setStrategyName(null); + } + } + +} diff --git a/spring-xsuaa-test/pom.xml b/spring-xsuaa-test/pom.xml index ce6cf633b6..25a69c41aa 100644 --- a/spring-xsuaa-test/pom.xml +++ b/spring-xsuaa-test/pom.xml @@ -21,7 +21,7 @@ com.nimbusds nimbus-jose-jwt - 9.39 + 9.39.1 org.springframework.security diff --git a/spring-xsuaa/pom.xml b/spring-xsuaa/pom.xml index c9274021d5..6b01a51f19 100644 --- a/spring-xsuaa/pom.xml +++ b/spring-xsuaa/pom.xml @@ -21,7 +21,7 @@ com.nimbusds nimbus-jose-jwt - 9.39 + 9.39.1 org.springframework