SEC-2055: SaveContextServletOutputStream flush/close delegates to original ServletOutputStream instead of using super

web/src/main/java/org/springframework/security/web/context/SaveContextOnUpdateOrErrorResponseWrapper.java

@@ -203,16 +203,14 @@ public abstract class SaveContextOnUpdateOrErrorResponseWrapper extends HttpServ
             this.delegate.write(b);
         }
 
-        @Override
         public void flush() throws IOException {
             doSaveContext();
-            super.flush();
+            delegate.flush();
         }
 
-        @Override
         public void close() throws IOException {
             doSaveContext();
-            super.close();
+            delegate.close();
         }
     }
 }

web/src/test/java/org/springframework/security/web/context/HttpSessionSecurityContextRepositoryTests.java

@@ -13,8 +13,12 @@
 package org.springframework.security.web.context;
 
 import static org.junit.Assert.*;
+import static org.mockito.Mockito.*;
 import static org.springframework.security.web.context.HttpSessionSecurityContextRepository.*;
 
+import javax.servlet.ServletOutputStream;
+import javax.servlet.http.HttpServletResponse;
+
 import org.junit.After;
 import org.junit.Test;
 import org.springframework.mock.web.MockHttpServletRequest;
@@ -242,6 +246,36 @@ public class HttpSessionSecurityContextRepositoryTests {
        assertEquals(SecurityContextHolder.getContext(), request.getSession().getAttribute(HttpSessionSecurityContextRepository.SPRING_SECURITY_CONTEXT_KEY));
     }
 
+    // SEC-SEC-2055
+    @Test
+    public void outputStreamCloseDelegate() throws Exception {
+        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        ServletOutputStream outputstream = mock(ServletOutputStream.class);
+        when(response.getOutputStream()).thenReturn(outputstream);
+        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
+        SecurityContextHolder.setContext(repo.loadContext(holder));
+        SecurityContextHolder.getContext().setAuthentication(testToken);
+        holder.getResponse().getOutputStream().close();
+        verify(outputstream).close();
+    }
+
+    // SEC-SEC-2055
+    @Test
+    public void outputStreamFlushesDelegate() throws Exception {
+        HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
+        MockHttpServletRequest request = new MockHttpServletRequest();
+        HttpServletResponse response = mock(HttpServletResponse.class);
+        ServletOutputStream outputstream = mock(ServletOutputStream.class);
+        when(response.getOutputStream()).thenReturn(outputstream);
+        HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
+        SecurityContextHolder.setContext(repo.loadContext(holder));
+        SecurityContextHolder.getContext().setAuthentication(testToken);
+        holder.getResponse().getOutputStream().flush();
+        verify(outputstream).flush();
+    }
+
     @Test
     public void noSessionIsCreatedIfSessionWasInvalidatedDuringTheRequest() throws Exception {
         HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();