Spring Security SEC-2708: SavedRequestAwareAuthenticationSuccessHandler ignores configured RequestCache

Greg Adams (Migrated from SEC-2708) said:

I'm using a custom RequestCache, specified in JavaConfig thus:

@Order(Ordered.LOWEST_PRECEDENCE - 8)
    protected static class SecurityConfig extends WebSecurityConfigurerAdapter {
...
    @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .requestCache().requestCache(new CookieRequestCache()).and()
...

The problem is that SavedRequestAwareAuthenticationSuccessHandler doesn't use CookieRequestCache when configured like this, it still uses the default HttpSessionRequestCache. I have to resort to something like this:

@Override
        protected void configure(HttpSecurity http) throws Exception {
            RequestCache requestCache = new CookieRequestCache();
            SavedRequestAwareAuthenticationSuccessHandler successHandler = new SavedRequestAwareAuthenticationSuccessHandler();
            successHandler.setRequestCache(requestCache);
            http
                .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS).and()
                .requestCache().requestCache(requestCache).and()
...
.formLogin()
                    .loginPage("/login")
                    .permitAll()
                    .successHandler(successHandler)

to get saved request functionality to work with my customer request cache. I would think the request cache configured at the HttpSecurity level should be shared and used in the default form login success handler.

Comment From: 2is10

Will this ever be prioritized?

Comment From: marcusdacoregio

Closed via https://github.com/spring-projects/spring-security/issues/5582