Spring security's SecurityContextHolder: session or request bound?

JavaSpringJakarta EeSpring Security

Java Problem Overview

Is the Userprincipal I retrieve from SecurityContextHolder bound to requests or to sessions?

UserPrincipal principal = (UserPrincipal) SecurityContextHolder.getContext().getAuthentication().getPrincipal();

This is the way I access the currently logged in user. Will this invalidate if the current session is destroyed?

Java Solutions

Solution 1 - Java

It depends on how you configured it (or lets say, you can configure a different behaviour).

In a Web application you will use the ThreadLocalSecurityContextHolderStrategy which interacts with SecurityContextPersistenceFilter.

The Java Doc of SecurityContextPersistenceFilter starts with:

> Populates the {@link > SecurityContextHolder} with > information obtained from the > configured {@link > SecurityContextRepository} prior to > the request and stores it back in the > repository once the request has > completed and clearing the context > holder. By default it uses an {@link > HttpSessionSecurityContextRepository}. > See this class for information > HttpSession related > configuration options.

Btw: HttpSessionSecurityContextRepository is the only implementation of SecurityContextRepository (I have found in the default libs)

It works like this:

  • The HttpSessionSecurityContextRepository uses the httpSession (Key="SPRING_SECURITY_CONTEXT") to store an SecurityContext Object.
  • The SecurityContextPersistenceFilter is an filter that uses an SecurityContextRepository for example the HttpSessionSecurityContextRepository to load and store SecurityContext Objects. If an HttpRequest passes the filter, the filter get the SecurityContext from the repository and put it in the SecurityContextHolder (SecurityContextHolder#setContext)
  • The SecurityContextHolder has two methods setContext and getContext. Both uses a SecurityContextHolderStrategy to specify what exactly is done in the set- and get-Context methods. - For example the ThreadLocalSecurityContextHolderStrategy uses a thread local to store the context.

So in summary: The user principal (element of SecurityContext) is stored in the HTTP Session. And for each request it is put in a thread local from where you access it.

Categories
Recommended Java Solutions
Recommended Spring Solutions
Recommended Jakarta Ee Solutions
Recommended Spring Security Solutions

Previous Solution:

Workflow to create Xcode groups as file system folders

Objective CXcodeXcode4File Organization

Next Solution:

php foreach with multidimensional array

PhpArraysForeach

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionchzbrglaView Question on Stackoverflow
Solution 1 - JavaRalphView Answer on Stackoverflow