Cannot configure SecurityContextRepository in CasAuthenticationFilter

[sammyhk]

Describe the bug
CasAuthenticationFilter set a reference of SecurityContextRepository (

spring-security/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java

Line 216 in e771267

setSecurityContextRepository(this.securityContextRepository);

) in itself and use it in

spring-security/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java

Line 233 in e771267

this.securityContextRepository.saveContext(context, request, response);

which cause the setSecurityContextRepository(...) defined in parent class AbstractAuthenticationProcessingFilter not configurable anymore.
The securityContextRepository reference is just for the call of successfulAuthentication(...) (

spring-security/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java

Lines 227 to 236 in e771267

	this.logger.debug(
	LogMessage.format("Authentication success. Updating SecurityContextHolder to contain: %s", authResult));
	SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();
	context.setAuthentication(authResult);
	this.securityContextHolderStrategy.setContext(context);
	this.securityContextRepository.saveContext(context, request, response);
	if (this.eventPublisher != null) {
	this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
	}

).
For me, seems like it is just duplicating the code defined in parent class AbstractAuthenticationProcessingFilter (

spring-security/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java

Lines 322 to 333 in e771267

	SecurityContext context = this.securityContextHolderStrategy.createEmptyContext();
	context.setAuthentication(authResult);
	this.securityContextHolderStrategy.setContext(context);
	this.securityContextRepository.saveContext(context, request, response);
	if (this.logger.isDebugEnabled()) {
	this.logger.debug(LogMessage.format("Set SecurityContextHolder to %s", authResult));
	}
	this.rememberMeServices.loginSuccess(request, response, authResult);
	if (this.eventPublisher != null) {
	this.eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent(authResult, this.getClass()));
	}
	this.successHandler.onAuthenticationSuccess(request, response, authResult);

) and can be rewritten to avoid the securityContextRepository reference defined in CasAuthenticationFilter.
Example:

@Override
protected final void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
		FilterChain chain, Authentication authResult) throws IOException, ServletException {
	boolean continueFilterChain = proxyTicketRequest(serviceTicketRequest(request, response), request);
	super.successfulAuthentication(request, response, chain, authResult);
	if (continueFilterChain) {
		chain.doFilter(request, response);
	}
}

Expected behavior
CasAuthenticationFilter should be able to configure different SecurityContextRepository by calling setSecurityContextRepository(...)

[marcusdacoregio]

Hi, @sammyhk. Thanks for the report.

If we apply the changes as you suggested, there is a test that stops passing where it expects the AuthenticationSuccessHandler to not be called. I don't think that we should apply a change that might break things for others.

The code duplication is not a problem here, we should probably override setSecurityContextRepository to call super and also set it into the CasAuthenticationFilter#securityContextRepository. The same goes for SecurityContextHolderStrategy.