Spring security’s SecurityContextHolder: session or request bound?

by

It depends on how you configured it (or lets say, you can configure a different behaviour).

In a Web application you will use the ThreadLocalSecurityContextHolderStrategy which interacts with SecurityContextPersistenceFilter.

The Java Doc of SecurityContextPersistenceFilter starts with:

Populates the {@link
SecurityContextHolder} with
information obtained from the
configured {@link
SecurityContextRepository} prior to
the request and stores it back in the
repository once the request has
completed and clearing the context
holder. By default it uses an {@link
HttpSessionSecurityContextRepository}.
See this class for information
HttpSession related
configuration options.

Btw: HttpSessionSecurityContextRepository is the only implementation of SecurityContextRepository (I have found in the default libs)

It works like this:

  • The HttpSessionSecurityContextRepository uses the httpSession (Key=”SPRING_SECURITY_CONTEXT”) to store an SecurityContext Object.
  • The SecurityContextPersistenceFilter is an filter that uses an SecurityContextRepository for example the HttpSessionSecurityContextRepository to load and store SecurityContext Objects. If an HttpRequest passes the filter, the filter get the SecurityContext from the repository and put it in the SecurityContextHolder (SecurityContextHolder#setContext)
  • The SecurityContextHolder has two methods setContext and getContext. Both uses a SecurityContextHolderStrategy to specify what exactly is done in the set- and get-Context methods. – For example the ThreadLocalSecurityContextHolderStrategy uses a thread local to store the context.

So in summary: The user principal (element of SecurityContext) is stored in the HTTP Session. And for each request it is put in a thread local from where you access it.

More Related Contents:

  1. Filter invoke twice when register as Spring bean
  2. How to get active user’s UserDetails
  3. How To Inject AuthenticationManager using Java Configuration in a Custom Filter
  4. When using Spring Security, what is the proper way to obtain current username (i.e. SecurityContext) information in a bean?
  5. Mapping ManyToMany with composite Primary key and Annotation:
  6. How to disable spring security for particular url
  7. How to manage exceptions thrown in filters in Spring?
  8. How to disable ‘X-Frame-Options’ response header in Spring Security?
  9. How to enable HTTP response caching in Spring Boot
  10. Java EE 6 vs. Spring 3 stack [closed]
  11. How to get the current logged in user object from spring security?
  12. Multiple WebSecurityConfigurerAdapter in spring boot for multiple patterns
  13. Customize authentication failure response in Spring Security using AuthenticationFailureHandler
  14. Unit testing with Spring Security
  15. Spring security does not allow CSS or JS resources to be loaded
  16. spring web, security + web.xml + mvc dispatcher + Bean is created twice
  17. How to apply Spring Security filter only on secured endpoints?
  18. Securing Spring Boot API with API key and secret
  19. Autowiring in Spring bean (@Component) created with new keyword
  20. What is meant by abstract=”true” in spring?
  21. how to set header no cache in spring mvc 3 by annotation
  22. Spring Security HTTP Basic for RESTFul and FormLogin (Cookies) for web – Annotations
  23. Spring security added prefix “ROLE_” to all roles name?
  24. Why this Spring application with java-based configuration don’t work properly
  25. How to reload authorities on user update with Spring Security
  26. How do I disable resolving login parameters passed as url parameters / from the url
  27. How do I add method based security to a Spring Boot project?
  28. How to make a database listener with java?
  29. How to secure REST API with Spring Boot and Spring Security?
  30. Why BCryptPasswordEncoder from Spring generate different outputs for same input?

Leave a Comment