[ACCEPTED]-Spring security's SecurityContextHolder: session or request bound?-spring-security
It depends on how you configured it (or 16 lets say, you can configure a different 15 behaviour).
In a Web application you will 14 use the ThreadLocalSecurityContextHolderStrategy which interacts with SecurityContextPersistenceFilter.
The Java 13 Doc of SecurityContextPersistenceFilter starts with:
Populates the {@link SecurityContextHolder} with information 12 obtained from the configured {@link SecurityContextRepository} prior 11 to the request and stores it back in the repository 10 once the request has completed and clearing 9 the context holder. By default it uses 8 an {@link HttpSessionSecurityContextRepository}. See 7 this class for information HttpSession 6 related configuration options.
Btw: HttpSessionSecurityContextRepository is the only implementation of SecurityContextRepository (I have found in the default libs)
It works 5 like this:
- The
HttpSessionSecurityContextRepositoryuses the httpSession (Key="SPRING_SECURITY_CONTEXT") to store anSecurityContextObject. - The
SecurityContextPersistenceFilteris an filter that uses anSecurityContextRepositoryfor example theHttpSessionSecurityContextRepositoryto load and storeSecurityContextObjects. If an HttpRequest passes the filter, the filter get theSecurityContextfrom the repository and put it in the SecurityContextHolder (SecurityContextHolder#setContext) - The
SecurityContextHolderhas two methodssetContextandgetContext. Both uses aSecurityContextHolderStrategyto specify what exactly is done in the set- and get-Context methods. - For example theThreadLocalSecurityContextHolderStrategyuses a thread local to store the context.
So in summary: The user principal 4 (element of SecurityContext) is stored in 3 the HTTP Session. And for each request it 2 is put in a thread local from where you 1 access it.
More Related questions
We use cookies to improve the performance of the site. By staying on our site, you agree to the terms of use of cookies.