Spring Security CasAuthenticationFilter.successfulAuthentication missing call to securityContextRepository.saveContext

Describe the bug org.springframework.security.cas.web.CasAuthenticationFilter.successfulAuthentication seems to be missing a call to securityContextRepository.saveContext as per the Spring 6 migration document. I think this makes the filter completely unusable on Spring6/Boot3 and begs to question if the CasAuthenticationFilter code is production ready for Spring 6 otherwise.

To Reproduce Use the filter

Expected behavior SecurityContext is saved between requests :)

Comment From: Anubhav-2000

Hi @marcusdacoregio, can i try this?

Comment From: marcusdacoregio

Hi @Anubhav-2000, yes, the issue is yours.

Ideally, I think we should keep a reference of the SecurityContextRepository set in the constructor and call it in the successfullAuthentication method. Something like this:

private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();;

public CasAuthenticationFilter() {
    super("/login/cas");
    setAuthenticationFailureHandler(new SimpleUrlAuthenticationFailureHandler());
    setSecurityContextRepository(this.securityContextRepository);
}

// ...

@Override
protected final void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
        FilterChain chain, Authentication authResult) throws IOException, ServletException {
    // ...
    SecurityContext context = SecurityContextHolder.createEmptyContext();
    context.setAuthentication(authResult);
    SecurityContextHolder.setContext(context);
    this.securityContextRepository.saveContext(context, request, response);
    // ...
}

Then, in 6.2, we can override the setter method and update both references.

Comment From: Anubhav-2000

Thanks @marcusdacoregio , i have not overridden the setter method and done the rest of the changes.