Spring Security Cannot configure SecurityContextRepository in CasAuthenticationFilter

Describe the bug CasAuthenticationFilter set a reference of SecurityContextRepository (https://github.com/spring-projects/spring-security/blob/e77126740d67f5fe714833c910b9c94976e44c49/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java#L216) in itself and use it in https://github.com/spring-projects/spring-security/blob/e77126740d67f5fe714833c910b9c94976e44c49/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java#L233 which cause the setSecurityContextRepository(...) defined in parent class AbstractAuthenticationProcessingFilter not configurable anymore. The securityContextRepository reference is just for the call of successfulAuthentication(...) (https://github.com/spring-projects/spring-security/blob/e77126740d67f5fe714833c910b9c94976e44c49/cas/src/main/java/org/springframework/security/cas/web/CasAuthenticationFilter.java#L227-L236). For me, seems like it is just duplicating the code defined in parent class AbstractAuthenticationProcessingFilter (https://github.com/spring-projects/spring-security/blob/e77126740d67f5fe714833c910b9c94976e44c49/web/src/main/java/org/springframework/security/web/authentication/AbstractAuthenticationProcessingFilter.java#L322-L333) and can be rewritten to avoid the securityContextRepository reference defined in CasAuthenticationFilter. Example:

@Override
protected final void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
        FilterChain chain, Authentication authResult) throws IOException, ServletException {
    boolean continueFilterChain = proxyTicketRequest(serviceTicketRequest(request, response), request);
    super.successfulAuthentication(request, response, chain, authResult);
    if (continueFilterChain) {
        chain.doFilter(request, response);
    }
}

Expected behavior CasAuthenticationFilter should be able to configure different SecurityContextRepository by calling setSecurityContextRepository(...)

Comment From: marcusdacoregio

Hi, @sammyhk. Thanks for the report.

If we apply the changes as you suggested, there is a test that stops passing where it expects the AuthenticationSuccessHandler to not be called. I don't think that we should apply a change that might break things for others.

The code duplication is not a problem here, we should probably override setSecurityContextRepository to call super and also set it into the CasAuthenticationFilter#securityContextRepository. The same goes for SecurityContextHolderStrategy.