2022-10-27 16:12:45 -04:00
.Explicit Saving of SecurityContext
2023-06-18 22:32:35 -04:00
[tabs]
======
Java::
+
2022-10-27 16:12:45 -04:00
[source,java,role="primary"]
----
public SecurityFilterChain filterChain(HttpSecurity http) {
http
// ...
.securityContext((securityContext) -> securityContext
.requireExplicitSave(true)
);
return http.build();
}
----
2023-06-18 22:32:35 -04:00
Kotlin::
+
2022-10-27 16:12:45 -04:00
[source,kotlin,role="secondary"]
----
@Bean
open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
http {
securityContext {
requireExplicitSave = true
}
}
return http.build()
}
----
2023-06-18 22:32:35 -04:00
XML::
+
2022-10-27 16:12:45 -04:00
[source,xml,role="secondary"]
----
<http security-context-explicit-save="true">
<!-- ... -->
</http>
----
2023-06-18 22:32:35 -04:00
======
2022-10-27 16:12:45 -04:00
Upon using the configuration, it is important that any code that sets the `SecurityContextHolder` with a `SecurityContext` also saves the `SecurityContext` to the `SecurityContextRepository` if it should be persisted between requests.
For example, the following code:
.Setting `SecurityContextHolder` with `SecurityContextPersistenceFilter`
2023-06-18 22:32:35 -04:00
[tabs]
======
Java::
+
2022-10-27 16:12:45 -04:00
[source,java,role="primary"]
----
SecurityContextHolder.setContext(securityContext);
----
2023-06-18 22:32:35 -04:00
Kotlin::
+
2022-10-27 16:12:45 -04:00
[source,kotlin,role="secondary"]
----
SecurityContextHolder.setContext(securityContext)
----
2023-06-18 22:32:35 -04:00
======
2022-10-27 16:12:45 -04:00
should be replaced with
.Setting `SecurityContextHolder` with `SecurityContextHolderFilter`
2023-06-18 22:32:35 -04:00
[tabs]
======
Java::
+
2022-10-27 16:12:45 -04:00
[source,java,role="primary"]
----
SecurityContextHolder.setContext(securityContext);
securityContextRepository.saveContext(securityContext, httpServletRequest, httpServletResponse);
----
2023-06-18 22:32:35 -04:00
Kotlin::
+
2022-10-27 16:12:45 -04:00
[source,kotlin,role="secondary"]
----
SecurityContextHolder.setContext(securityContext)
securityContextRepository.saveContext(securityContext, httpServletRequest, httpServletResponse)
----
2023-06-18 22:32:35 -04:00
======