0
# Security Context Management
1
2
Spring Security Web's security context management provides thread-safe storage, persistence, and lifecycle management of security contexts across HTTP requests. It handles the loading, saving, and clearing of authentication information throughout request processing.
3
4
## Core Security Context Components
5
6
### Security Context Repository
7
8
The central interface for persisting security contexts.
9
10
```java { .api }
11
public interface SecurityContextRepository {
12
// Load security context for the request
13
SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
14
15
// Save security context after request processing
16
void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
17
18
// Check if a context exists for the request
19
boolean containsContext(HttpServletRequest request);
20
}
21
```
22
23
### HTTP Session Repository
24
25
Stores security contexts in the HTTP session.
26
27
```java { .api }
28
public class HttpSessionSecurityContextRepository implements SecurityContextRepository {
29
// Configuration methods
30
public void setAllowSessionCreation(boolean allowSessionCreation);
31
public void setDisableUrlRewriting(boolean disableUrlRewriting);
32
public void setSpringSecurityContextKey(String springSecurityContextKey);
33
public void setTrustResolver(AuthenticationTrustResolver trustResolver);
34
35
// SecurityContextRepository implementation
36
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
37
public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
38
public boolean containsContext(HttpServletRequest request);
39
}
40
```
41
42
### Request Attribute Repository
43
44
Stores security contexts in request attributes for stateless scenarios.
45
46
```java { .api }
47
public final class RequestAttributeSecurityContextRepository implements SecurityContextRepository {
48
// Constructor
49
public RequestAttributeSecurityContextRepository();
50
51
// SecurityContextRepository implementation
52
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
53
public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
54
public boolean containsContext(HttpServletRequest request);
55
}
56
```
57
58
## Security Context Filters
59
60
### Security Context Holder Filter
61
62
The modern filter for managing security context lifecycle.
63
64
```java { .api }
65
public class SecurityContextHolderFilter extends GenericFilterBean {
66
// Constructor
67
public SecurityContextHolderFilter(SecurityContextRepository securityContextRepository);
68
69
// Configuration
70
public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy);
71
72
// Filter implementation
73
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
74
throws IOException, ServletException;
75
}
76
```
77
78
### Usage Examples
79
80
```java
81
// Session-based security context
82
HttpSessionSecurityContextRepository sessionRepository = new HttpSessionSecurityContextRepository();
83
sessionRepository.setAllowSessionCreation(true);
84
sessionRepository.setDisableUrlRewriting(true);
85
86
SecurityContextHolderFilter filter = new SecurityContextHolderFilter(sessionRepository);
87
88
// Stateless security context (for APIs)
89
RequestAttributeSecurityContextRepository statelessRepository =
90
new RequestAttributeSecurityContextRepository();
91
SecurityContextHolderFilter statelessFilter = new SecurityContextHolderFilter(statelessRepository);
92
93
// Delegating repository (tries multiple strategies)
94
List<SecurityContextRepository> repositories = Arrays.asList(
95
new RequestAttributeSecurityContextRepository(),
96
new HttpSessionSecurityContextRepository()
97
);
98
DelegatingSecurityContextRepository delegating = new DelegatingSecurityContextRepository(repositories);
99
SecurityContextHolderFilter delegatingFilter = new SecurityContextHolderFilter(delegating);
100
```
101
102
## Additional Repository Implementations
103
104
### Delegating Repository
105
106
Tries multiple repositories in order.
107
108
```java { .api }
109
public final class DelegatingSecurityContextRepository implements SecurityContextRepository {
110
// Constructor
111
public DelegatingSecurityContextRepository(SecurityContextRepository... delegates);
112
public DelegatingSecurityContextRepository(List<SecurityContextRepository> delegates);
113
114
// SecurityContextRepository implementation
115
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
116
public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
117
public boolean containsContext(HttpServletRequest request);
118
}
119
```
120
121
### Null Repository
122
123
No-operation repository for stateless applications.
124
125
```java { .api }
126
public final class NullSecurityContextRepository implements SecurityContextRepository {
127
// SecurityContextRepository implementation
128
public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
129
public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
130
public boolean containsContext(HttpServletRequest request);
131
}
132
```