spring-security/docs/modules/ROOT/partials/servlet/architecture/security-context-explicit.adoc

.Explicit Saving of SecurityContext
[tabs]
======
Java::
+
[source,java,role="primary"]
----
public SecurityFilterChain filterChain(HttpSecurity http) {
	http
		// ...
		.securityContext((securityContext) -> securityContext
			.requireExplicitSave(true)
		);
	return http.build();
}
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
@Bean
open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
    http {
        securityContext {
            requireExplicitSave = true
        }
    }
    return http.build()
}
----

XML::
+
[source,xml,role="secondary"]
----
<http security-context-explicit-save="true">
	<!-- ... -->
</http>
----
======


Upon using the configuration, it is important that any code that sets the `SecurityContextHolder` with a `SecurityContext` also saves the `SecurityContext` to the `SecurityContextRepository` if it should be persisted between requests.

For example, the following code:

.Setting `SecurityContextHolder` with `SecurityContextPersistenceFilter`
[tabs]
======
Java::
+
[source,java,role="primary"]
----
SecurityContextHolder.setContext(securityContext);
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
SecurityContextHolder.setContext(securityContext)
----
======

should be replaced with

.Setting `SecurityContextHolder` with `SecurityContextHolderFilter`
[tabs]
======
Java::
+
[source,java,role="primary"]
----
SecurityContextHolder.setContext(securityContext);
securityContextRepository.saveContext(securityContext, httpServletRequest, httpServletResponse);
----

Kotlin::
+
[source,kotlin,role="secondary"]
----
SecurityContextHolder.setContext(securityContext)
securityContextRepository.saveContext(securityContext, httpServletRequest, httpServletResponse)
----
======
Document Migration to SecurityContextHolderFilter Closes gh-12098 2022-10-27 15:12:45 -05:00			`.Explicit Saving of SecurityContext`
Merge branch '5.7.x' into 5.8.x Closes gh-13405 2023-06-18 21:32:35 -05:00			`[tabs]`
			`======`
			`Java::`
			`+`
Document Migration to SecurityContextHolderFilter Closes gh-12098 2022-10-27 15:12:45 -05:00			`[source,java,role="primary"]`
			`----`
			`public SecurityFilterChain filterChain(HttpSecurity http) {`
			`http`
			`// ...`
			`.securityContext((securityContext) -> securityContext`
			`.requireExplicitSave(true)`
			`);`
			`return http.build();`
			`}`
			`----`

Merge branch '5.7.x' into 5.8.x Closes gh-13405 2023-06-18 21:32:35 -05:00			`Kotlin::`
			`+`
Document Migration to SecurityContextHolderFilter Closes gh-12098 2022-10-27 15:12:45 -05:00			`[source,kotlin,role="secondary"]`
			`----`
			`@Bean`
			`open fun springSecurity(http: HttpSecurity): SecurityFilterChain {`
			`http {`
			`securityContext {`
			`requireExplicitSave = true`
			`}`
			`}`
			`return http.build()`
			`}`
			`----`

Merge branch '5.7.x' into 5.8.x Closes gh-13405 2023-06-18 21:32:35 -05:00			`XML::`
			`+`
Document Migration to SecurityContextHolderFilter Closes gh-12098 2022-10-27 15:12:45 -05:00			`[source,xml,role="secondary"]`
			`----`
			`<http security-context-explicit-save="true">`
			`<!-- ... -->`
			`</http>`
			`----`
Merge branch '5.7.x' into 5.8.x Closes gh-13405 2023-06-18 21:32:35 -05:00			`======`
Document Migration to SecurityContextHolderFilter Closes gh-12098 2022-10-27 15:12:45 -05:00

			Upon using the configuration, it is important that any code that sets the `SecurityContextHolder` with a `SecurityContext` also saves the `SecurityContext` to the `SecurityContextRepository` if it should be persisted between requests.

			`For example, the following code:`

			.Setting `SecurityContextHolder` with `SecurityContextPersistenceFilter`
Merge branch '5.7.x' into 5.8.x Closes gh-13405 2023-06-18 21:32:35 -05:00			`[tabs]`
			`======`
			`Java::`
			`+`
Document Migration to SecurityContextHolderFilter Closes gh-12098 2022-10-27 15:12:45 -05:00			`[source,java,role="primary"]`
			`----`
			`SecurityContextHolder.setContext(securityContext);`
			`----`

Merge branch '5.7.x' into 5.8.x Closes gh-13405 2023-06-18 21:32:35 -05:00			`Kotlin::`
			`+`
Document Migration to SecurityContextHolderFilter Closes gh-12098 2022-10-27 15:12:45 -05:00			`[source,kotlin,role="secondary"]`
			`----`
			`SecurityContextHolder.setContext(securityContext)`
			`----`
Merge branch '5.7.x' into 5.8.x Closes gh-13405 2023-06-18 21:32:35 -05:00			`======`
Document Migration to SecurityContextHolderFilter Closes gh-12098 2022-10-27 15:12:45 -05:00
			`should be replaced with`

			.Setting `SecurityContextHolder` with `SecurityContextHolderFilter`
Merge branch '5.7.x' into 5.8.x Closes gh-13405 2023-06-18 21:32:35 -05:00			`[tabs]`
			`======`
			`Java::`
			`+`
Document Migration to SecurityContextHolderFilter Closes gh-12098 2022-10-27 15:12:45 -05:00			`[source,java,role="primary"]`
			`----`
			`SecurityContextHolder.setContext(securityContext);`
			`securityContextRepository.saveContext(securityContext, httpServletRequest, httpServletResponse);`
			`----`

Merge branch '5.7.x' into 5.8.x Closes gh-13405 2023-06-18 21:32:35 -05:00			`Kotlin::`
			`+`
Document Migration to SecurityContextHolderFilter Closes gh-12098 2022-10-27 15:12:45 -05:00			`[source,kotlin,role="secondary"]`
			`----`
			`SecurityContextHolder.setContext(securityContext)`
			`securityContextRepository.saveContext(securityContext, httpServletRequest, httpServletResponse)`
			`----`
Merge branch '5.7.x' into 5.8.x Closes gh-13405 2023-06-18 21:32:35 -05:00			`======`