Pick Up OidcSessionRegistry Bean

jzheaux · jzheaux · commit b311b811a1a3 · 2024-09-15T21:30:55.000-07:00
Closes gh-15813
diff --git a/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerUtils.java b/config/src/main/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OAuth2ClientConfigurerUtils.java
@@ -116,10 +116,17 @@ private static <B extends HttpSecurityBuilder<B>> OAuth2AuthorizedClientService
 
 	static <B extends HttpSecurityBuilder<B>> OidcSessionRegistry getOidcSessionRegistry(B builder) {
 		OidcSessionRegistry sessionRegistry = builder.getSharedObject(OidcSessionRegistry.class);
-		if (sessionRegistry == null) {
+		if (sessionRegistry != null) {
+			return sessionRegistry;
+		}
+		ApplicationContext context = builder.getSharedObject(ApplicationContext.class);
+		if (context.getBeanNamesForType(OidcSessionRegistry.class).length == 1) {
+			sessionRegistry = context.getBean(OidcSessionRegistry.class);
+		}
+		else {
 			sessionRegistry = new InMemoryOidcSessionRegistry();
-			builder.setSharedObject(OidcSessionRegistry.class, sessionRegistry);
 		}
+		builder.setSharedObject(OidcSessionRegistry.class, sessionRegistry);
 		return sessionRegistry;
 	}
 
diff --git a/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java b/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java
@@ -5496,7 +5496,7 @@ private ReactiveClientRegistrationRepository getClientRegistrationRepository() {
 
 		private ReactiveOidcSessionRegistry getSessionRegistry() {
 			if (this.sessionRegistry == null && ServerHttpSecurity.this.oauth2Login == null) {
-				return new InMemoryReactiveOidcSessionRegistry();
+				return getBeanOrDefault(ReactiveOidcSessionRegistry.class, new InMemoryReactiveOidcSessionRegistry());
 			}
 			if (this.sessionRegistry == null) {
 				return ServerHttpSecurity.this.oauth2Login.oidcSessionRegistry;
diff --git a/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurerTests.java b/config/src/test/java/org/springframework/security/config/annotation/web/configurers/oauth2/client/OidcLogoutConfigurerTests.java
@@ -396,15 +396,13 @@ SecurityFilterChain filters(HttpSecurity http) throws Exception {
 	@Import(RegistrationConfig.class)
 	static class SelfLogoutUriConfig {
 
-		private final OidcSessionRegistry sessionRegistry = new InMemoryOidcSessionRegistry();
-
 		@Bean
 		@Order(1)
 		SecurityFilterChain filters(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-				.oauth2Login((oauth2) -> oauth2.oidcSessionRegistry(this.sessionRegistry))
+				.oauth2Login(Customizer.withDefaults())
 				.oidcLogout((oidc) -> oidc
 					.backChannel(Customizer.withDefaults())
 				);
@@ -413,11 +411,6 @@ SecurityFilterChain filters(HttpSecurity http) throws Exception {
 			return http.build();
 		}
 
-		@Bean
-		OidcBackChannelLogoutHandler oidcLogoutHandler() {
-			return new OidcBackChannelLogoutHandler(this.sessionRegistry);
-		}
-
 	}
 
 	@Configuration
@@ -427,15 +420,13 @@ static class CookieConfig {
 
 		private final MockWebServer server = new MockWebServer();
 
-		private final OidcSessionRegistry sessionRegistry = new InMemoryOidcSessionRegistry();
-
 		@Bean
 		@Order(1)
 		SecurityFilterChain filters(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-				.oauth2Login((oauth2) -> oauth2.oidcSessionRegistry(this.sessionRegistry))
+				.oauth2Login(Customizer.withDefaults())
 				.oidcLogout((oidc) -> oidc
 					.backChannel(Customizer.withDefaults())
 				);
@@ -445,8 +436,13 @@ SecurityFilterChain filters(HttpSecurity http) throws Exception {
 		}
 
 		@Bean
-		OidcBackChannelLogoutHandler oidcLogoutHandler() {
-			OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler(this.sessionRegistry);
+		OidcSessionRegistry sessionRegistry() {
+			return new InMemoryOidcSessionRegistry();
+		}
+
+		@Bean
+		OidcBackChannelLogoutHandler oidcLogoutHandler(OidcSessionRegistry sessionRegistry) {
+			OidcBackChannelLogoutHandler logoutHandler = new OidcBackChannelLogoutHandler(sessionRegistry);
 			logoutHandler.setSessionCookieName("SESSION");
 			return logoutHandler;
 		}
@@ -485,7 +481,7 @@ SecurityFilterChain filters(HttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.authorizeHttpRequests((authorize) -> authorize.anyRequest().authenticated())
-				.oauth2Login((oauth2) -> oauth2.oidcSessionRegistry(this.sessionRegistry))
+				.oauth2Login(Customizer.withDefaults())
 				.oidcLogout((oidc) -> oidc.backChannel(Customizer.withDefaults()));
 			// @formatter:on
 
diff --git a/config/src/test/java/org/springframework/security/config/web/server/OidcLogoutSpecTests.java b/config/src/test/java/org/springframework/security/config/web/server/OidcLogoutSpecTests.java
@@ -519,8 +519,6 @@ SecurityWebFilterChain filters(ServerHttpSecurity http) throws Exception {
 	@Import(RegistrationConfig.class)
 	static class CookieConfig {
 
-		private final ReactiveOidcSessionRegistry sessionRegistry = new InMemoryReactiveOidcSessionRegistry();
-
 		private final MockWebServer server = new MockWebServer();
 
 		@Bean
@@ -529,7 +527,7 @@ SecurityWebFilterChain filters(ServerHttpSecurity http) throws Exception {
 			// @formatter:off
 			http
 				.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
-				.oauth2Login((oauth2) -> oauth2.oidcSessionRegistry(this.sessionRegistry))
+				.oauth2Login(Customizer.withDefaults())
 				.oidcLogout((oidc) -> oidc
 					.backChannel(Customizer.withDefaults())
 				);
@@ -539,9 +537,13 @@ SecurityWebFilterChain filters(ServerHttpSecurity http) throws Exception {
 		}
 
 		@Bean
-		OidcBackChannelServerLogoutHandler oidcLogoutHandler() {
-			OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler(
-					this.sessionRegistry);
+		ReactiveOidcSessionRegistry oidcSessionRegistry() {
+			return new InMemoryReactiveOidcSessionRegistry();
+		}
+
+		@Bean
+		OidcBackChannelServerLogoutHandler oidcLogoutHandler(ReactiveOidcSessionRegistry sessionRegistry) {
+			OidcBackChannelServerLogoutHandler logoutHandler = new OidcBackChannelServerLogoutHandler(sessionRegistry);
 			logoutHandler.setSessionCookieName("JSESSIONID");
 			return logoutHandler;
 		}
@@ -580,7 +582,7 @@ SecurityWebFilterChain filters(ServerHttpSecurity http) throws Exception {
 		// @formatter:off
 			http
 					.authorizeExchange((authorize) -> authorize.anyExchange().authenticated())
-					.oauth2Login((oauth2) -> oauth2.oidcSessionRegistry(this.sessionRegistry))
+					.oauth2Login(Customizer.withDefaults())
 					.oidcLogout((oidc) -> oidc.backChannel(Customizer.withDefaults()));
 			// @formatter:on
 

Original file line number	Diff line number	Diff line change
`@@ -5496,7 +5496,7 @@ private ReactiveClientRegistrationRepository getClientRegistrationRepository() {`
`5496`	`5496`
`5497`	`5497`	`private ReactiveOidcSessionRegistry getSessionRegistry() {`
`5498`	`5498`	`if (this.sessionRegistry == null && ServerHttpSecurity.this.oauth2Login == null) {`
`5499`		`- return new InMemoryReactiveOidcSessionRegistry();`
	`5499`	`+ return getBeanOrDefault(ReactiveOidcSessionRegistry.class, new InMemoryReactiveOidcSessionRegistry());`
`5500`	`5500`	`}`
`5501`	`5501`	`if (this.sessionRegistry == null) {`
`5502`	`5502`	`return ServerHttpSecurity.this.oauth2Login.oidcSessionRegistry;`