From 9dbe3bdcc03bebb84a895bf5e79deba26c58da03 Mon Sep 17 00:00:00 2001 From: Josh Cummings <3627351+jzheaux@users.noreply.github.com> Date: Tue, 3 Mar 2026 16:20:16 -0700 Subject: [PATCH] Polish Session Management Persistence Docs Signed-off-by: Josh Cummings <3627351+jzheaux@users.noreply.github.com> --- .../ROOT/pages/servlet/authentication/session-management.adoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/modules/ROOT/pages/servlet/authentication/session-management.adoc b/docs/modules/ROOT/pages/servlet/authentication/session-management.adoc index b45879fa79..2d6aac85af 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/session-management.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/session-management.adoc @@ -3,7 +3,9 @@ Once you have got an application that is xref:servlet/authentication/index.adoc[authenticating requests], it is important to consider how that resulting authentication will be persisted and restored on future requests. -Starting from Spring Security 6 security context is not persisted automatically by default, thus it is important to know what `requireExplicitSave` means in `HttpSecurity`. +This is done automatically by default. If you have a custom filter or controller that is setting the security context, you will need to use a `SecurityContextRepository` to persist it across requests. + +If you are upgrading from an older version, you may be interested in the `requireExplicitSave` setting that preserves Spring Security 5's default, though note that this is primarily for migration purposes. If you like, <> or <>. Otherwise, in most cases you are done with this section.