ServerHttpSecurity: oauth2Login() ignores securityContextRepository()

[ilgrosso]

In org.springframework.security.config.web.server.ServerHttpSecurity.OAuth2LoginSpec#configure, the line

spring-security/config/src/main/java/org/springframework/security/config/web/server/ServerHttpSecurity.java

Line 1141 in 2055466

authenticationFilter.setSecurityContextRepository(new WebSessionServerSecurityContextRepository());

does not take into account ServerHttpSecurity.this.securityContextRepository (which has the same default value, but can be customized by invoking securityContextRepository()) and blindly creates a new instance of WebSessionServerSecurityContextRepository.

[jzheaux]

The JavaDoc for ServerHttpSecurity#securityContextRepository states:

It does not impact how the {@code SecurityContext} is saved which is configured on a per {@link AuthenticationWebFilter} basis

The way that HttpBasicSpec and FormLoginSpec are configured is as follows:

http
    .httpBasic()
        .securityContextRepository(...)

and

http
    .formLogin()
        .securityContextRepository(...)

Given the JavaDoc and the way that other authentication mechanisms work, it would seem to be preferable instead to add a securityContextRepository method to the oauth2Login DSL:

http
    .oauth2Login()
        .securityContextRepository(...)

Would you be willing to provide a PR along those lines instead? It would be one that introduces securityContextRepository(...) to OAuth2LoginSpec.

[ilgrosso]

@jzheaux thanks for review; here's the new PR: #7244