Skip to content

SecurityContextHolder setDeferredContext(Supplier<SecurityContext>) / Supplier<SecurityContext> getDeferredContext() #10913

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
2 of 3 tasks
rwinch opened this issue Feb 25, 2022 · 2 comments
Closed
2 of 3 tasks

SecurityContextHolder setDeferredContext(Supplier<SecurityContext>) / Supplier<SecurityContext> getDeferredContext() #10913

rwinch opened this issue Feb 25, 2022 · 2 comments
Assignees
@rwinch
Labels
status: backported An issue that has been backported to maintenance branches
Milestone
6.0.0-M6

Comments

@rwinch
Copy link
Member

rwinch commented Feb 25, 2022
edited
Loading

In order to support a lazy access of the SecurityContext we should add methods to the SecurityContextHolder that allow setting and getting a Supplier<SecurityContext>. A benefit is that if it takes some work to obtain the SecurityContext, the it is only looked up if necessary.

For example, currently the SecurityContext is looked up from the HttpSession for every page. When using distributed sessions (i.e. Spring Session + Redis) this is a lot of unnecessary overhead for accessing public css, javascript, and images. With these changes Spring Security can avoid accessing the HttpSession for public resources like javascript, css, images, public html pages, etc.

The context would be set like this:

SecurityContextHolder.setDeferredContext(() -> securityContextRepository.loadContext(...));

Then code that wasn't sure if the SecurityContext was needed could use:

Supplier<SecurityContext> deferredContext = SecurityContextHolder.getDeferredContext();

authorizationManager.check(() -> defferedContext.get().getAuthentication(), object);

If the AuthorizationManager did not need to access the SecurityContext (i.e. public invocation was allowed), it would not ever access the Supplier<Authentication> and thus the Supplier<SecurityContext> wouldn't be accessed either.

These changes will largely be internal and not impact users.

This is blocked by
@linghengqian
Copy link

linghengqian commented Feb 28, 2022
edited
Loading

Is this referring to the situation mentioned in https://docs.spring.io/spring-security/reference/servlet/authentication/architecture.html#servlet-authentication-securitycontextholder ? Should it change?

SecurityContext context = SecurityContextHolder.createEmptyContext(); 
Authentication authentication = new TestingAuthenticationToken("username", "password", "ROLE_USER");
context.setAuthentication(authentication);
SecurityContextHolder.setContext(context);

@rwinch
Copy link
Member Author

rwinch commented Feb 28, 2022

@linghengqian You would still be allowed to use the methods that you provided, but there will be additional methods to support delayed lookup of the SecurityContext. I've updated the description to provide more details.

@rwinch rwinch changed the title SecurityContextHolder setContext(Supplier<SecurityContext>) / Supplier<SecurityContext> getContext() SecurityContextHolder setDeferredContext(Supplier<SecurityContext>) / Supplier<SecurityContext> getDeferredContext() Feb 28, 2022
@jzheaux jzheaux mentioned this issue Mar 8, 2022
Closed
@rwinch rwinch added this to the 5.7.0-RC1 milestone Mar 25, 2022
@rwinch rwinch modified the milestones: 5.7.0-RC1, 5.8.x Apr 18, 2022
@pmverma pmverma mentioned this issue May 9, 2022
Closed
@jzheaux jzheaux mentioned this issue Jun 2, 2022
Closed
@rwinch rwinch mentioned this issue Jun 8, 2022
Closed
@rwinch rwinch self-assigned this Jun 14, 2022
@rwinch rwinch closed this as completed in b6d43e5 Jun 17, 2022
@rwinch rwinch modified the milestones: 5.8.x, 5.8.0-M1 Jun 17, 2022
rwinch added a commit that referenced this issue Jun 17, 2022
@rwinch
SecurityContextHolder Deferred SecurityContext
d32f74d 
Closes gh-10913
@github-actions github-actions bot added the status: backported An issue that has been backported to maintenance branches label Jun 17, 2022
@github-actions github-actions bot mentioned this issue Jun 17, 2022
Closed
@jzheaux jzheaux mentioned this issue Sep 14, 2022
Closed
jzheaux added a commit that referenced this issue Sep 30, 2022
@jzheaux
Support Deferred Contexts
f054505 
Closes gh-11817
Issue gh-10913
@jzheaux jzheaux mentioned this issue Oct 6, 2022
Closed
@marcusdacoregio marcusdacoregio modified the milestones: 5.8.0-M1, 6.0.0-M6 Nov 24, 2022
@simgyuhwan simgyuhwan mentioned this issue Dec 6, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
status: backported An issue that has been backported to maintenance branches
Projects
None yet
Milestone
6.0.0-M6
Development

No branches or pull requests
3 participants
@rwinch @marcusdacoregio @linghengqian