From 8396b69d8b4b2bdcf577e0056870945807acf4c1 Mon Sep 17 00:00:00 2001 From: Artur Signell Date: Mon, 4 Oct 2021 21:01:34 +0300 Subject: [PATCH 1/3] Take into account that a VaadinSession can be detached from the HTTP session Fixes #910 --- .../security/VaadinAwareSecurityContextHolderStrategy.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java index 7763a5fd9..fcee989b7 100644 --- a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java +++ b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java @@ -65,7 +65,7 @@ public SecurityContext getContext() { @NonNull private Optional getFromVaadinSession() { VaadinSession session = VaadinSession.getCurrent(); - if (session == null) { + if (session == null || session.getSession() == null) { return Optional.empty(); } Object securityContext = session.getSession().getAttribute( From 39e216063b5b24ed687aaee86d0e2e401854ae2d Mon Sep 17 00:00:00 2001 From: Artur Signell Date: Wed, 6 Oct 2021 11:16:44 +0300 Subject: [PATCH 2/3] Test --- ...wareSecurityContextHolderStrategyTest.java | 64 +++++++++++++++++++ 1 file changed, 64 insertions(+) create mode 100644 vaadin-spring/src/test/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategyTest.java diff --git a/vaadin-spring/src/test/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategyTest.java b/vaadin-spring/src/test/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategyTest.java new file mode 100644 index 000000000..a007f2fce --- /dev/null +++ b/vaadin-spring/src/test/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategyTest.java @@ -0,0 +1,64 @@ +package com.vaadin.flow.spring.security; + +import javax.servlet.http.HttpSession; + +import com.vaadin.flow.internal.CurrentInstance; +import com.vaadin.flow.server.VaadinSession; +import com.vaadin.flow.server.WrappedHttpSession; +import com.vaadin.flow.server.WrappedSession; + +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; +import org.mockito.Mockito; +import org.springframework.security.core.context.SecurityContext; +import org.springframework.security.web.context.HttpSessionSecurityContextRepository; + +public class VaadinAwareSecurityContextHolderStrategyTest { + + private VaadinAwareSecurityContextHolderStrategy vaadinAwareSecurityContextHolderStrategy; + + @Before + public void setup() { + vaadinAwareSecurityContextHolderStrategy = new VaadinAwareSecurityContextHolderStrategy(); + CurrentInstance.clearAll(); + } + + @After + public void teardown() { + CurrentInstance.clearAll(); + } + + @Test + public void currentSessionOverrides() { + VaadinSession vaadinSession = Mockito.mock(VaadinSession.class); + HttpSession httpSession = Mockito.mock(HttpSession.class); + Mockito.when(vaadinSession.getSession()).thenReturn(new WrappedHttpSession(httpSession)); + SecurityContext securityContext = Mockito.mock(SecurityContext.class); + Mockito.when(httpSession.getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY)) + .thenReturn(securityContext); + VaadinSession.setCurrent(vaadinSession); + + vaadinAwareSecurityContextHolderStrategy.setContext(Mockito.mock(SecurityContext.class)); + Assert.assertEquals(securityContext, vaadinAwareSecurityContextHolderStrategy.getContext()); + } + + @Test + public void detachedSessionWorks() { + VaadinSession vaadinSession = Mockito.mock(VaadinSession.class); + Mockito.when(vaadinSession.getSession()).thenReturn(null); + VaadinSession.setCurrent(vaadinSession); + + SecurityContext explicit = Mockito.mock(SecurityContext.class); + vaadinAwareSecurityContextHolderStrategy.setContext(explicit); + Assert.assertEquals(explicit, vaadinAwareSecurityContextHolderStrategy.getContext()); + } + + @Test + public void explicitUsedWhenNoSessionAvailable() { + SecurityContext explicit = Mockito.mock(SecurityContext.class); + vaadinAwareSecurityContextHolderStrategy.setContext(explicit); + Assert.assertEquals(explicit, vaadinAwareSecurityContextHolderStrategy.getContext()); + } +} From 2bfc7e30f100bad321a4a70741ef11b886c08ca8 Mon Sep 17 00:00:00 2001 From: Artur Signell Date: Thu, 7 Oct 2021 09:05:49 +0300 Subject: [PATCH 3/3] Use method ref --- .../security/VaadinAwareSecurityContextHolderStrategy.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java index fcee989b7..df3e13934 100644 --- a/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java +++ b/vaadin-spring/src/main/java/com/vaadin/flow/spring/security/VaadinAwareSecurityContextHolderStrategy.java @@ -54,7 +54,7 @@ public SecurityContext getContext() { * the current request. */ SecurityContext context = getFromVaadinSession() - .orElseGet(() -> contextHolder.get()); + .orElseGet(contextHolder::get); if (context == null) { context = createEmptyContext(); contextHolder.set(context);