Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter #6260

Closed
jzheaux opened this issue Dec 7, 2018 · 3 comments · Fixed by #6286
Closed

Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequestFilter #6260

jzheaux opened this issue Dec 7, 2018 · 3 comments · Fixed by #6286
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
5.2.0.M1

Comments

@jzheaux
Copy link
Contributor

jzheaux commented Dec 7, 2018

Related to #6220

SecurityContextHolderAwareRequestFilter contains a condition which returns a different HttpServletRequestFactory based on whether the application is using Servlet Spec 3 or higher.

To support this, there are two request factories, one for servlet 2.5 called HttpServlet25RequestFactory and another called HttpServlet3RequestFactory.

These exist in order to expose additional features in Servlet 3, and also to return a version-specific implementation of SecurityContextHolderAwareRequestWrapper.

Since Spring Framework 5.x has a baseline of Servlet Spec 3.1, the if condition, and HttpServlet25RequestFactory are no longer necessary and we should remove them.

For now, we shouldn't move Servlet3SecurityContextHolderAwareRequestWrapper's functionality up into SecurityContextHolderAwareRequestWrapper since it is reliant on private state in HttpServlet3RequestFactory.
@jzheaux jzheaux added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement labels Dec 7, 2018
@jzheaux jzheaux added this to the 5.2.0.M1 milestone Dec 7, 2018
@jzheaux jzheaux mentioned this issue Dec 7, 2018
Closed
7 tasks
@dongmyo
Copy link
Contributor

dongmyo commented Dec 14, 2018

@jzheaux
what about changing HttpServlet3RequestFactory to the default implementation of HttpServletRequestFactory and moving Servlet3SecurityContextHolderAwareRequestWrapper's functionality up into SecurityContextHolderAwareRequestWrapper?

@jzheaux
Copy link
Contributor Author

jzheaux commented Dec 14, 2018

Good question, this was my thought originally as well.

But, the reason to not do that yet is that Servlet3SecurityContextHolderAwareRequestWrapper depends on private state in HttpServlet3RequestFactory, like an authenticationEntryPoint. To move the functionality would also mean to move that configuration, which is a bigger task than simply dropping support for Servlet 2.5.

I'm open to a proposal if you have a better way to do that, but I suspect we'll want to do it in a separate task.

@dongmyo
Copy link
Contributor

dongmyo commented Dec 14, 2018

@jzheaux okay, i totally understand what you mean now.
thank you.

@dongmyo dongmyo mentioned this issue Dec 14, 2018
Merged
dongmyo added a commit to dongmyo/spring-security-1 that referenced this issue Dec 15, 2018
@dongmyo
Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequest…
ba20f77 
…Filter

Fixes: spring-projectsgh-6260
jzheaux pushed a commit that referenced this issue Dec 17, 2018
@dongmyo @jzheaux
Remove Servlet Spec 2.5 Support for SecurityContextHolderAwareRequest…
733a380 
…Filter

Fixes: gh-6260
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
5.2.0.M1
2 participants
@dongmyo @jzheaux