or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

access-control.mdauthentication.mdcsrf.mdfilter-chain.mdfirewall.mdindex.mdreactive.mdsecurity-context.mdsession-management.mdutilities.md

security-context.mddocs/

0
# Security Context Management
1


2
Spring Security Web's security context management provides thread-safe storage, persistence, and lifecycle management of security contexts across HTTP requests. It handles the loading, saving, and clearing of authentication information throughout request processing.
3


4
## Core Security Context Components
5


6
### Security Context Repository
7


8
The central interface for persisting security contexts.
9


10
```java { .api }
11
public interface SecurityContextRepository {
12
    // Load security context for the request
13
    SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
14
    
15
    // Save security context after request processing
16
    void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
17
    
18
    // Check if a context exists for the request
19
    boolean containsContext(HttpServletRequest request);
20
}
21
```
22


23
### HTTP Session Repository
24


25
Stores security contexts in the HTTP session.
26


27
```java { .api }
28
public class HttpSessionSecurityContextRepository implements SecurityContextRepository {
29
    // Configuration methods
30
    public void setAllowSessionCreation(boolean allowSessionCreation);
31
    public void setDisableUrlRewriting(boolean disableUrlRewriting);
32
    public void setSpringSecurityContextKey(String springSecurityContextKey);
33
    public void setTrustResolver(AuthenticationTrustResolver trustResolver);
34
    
35
    // SecurityContextRepository implementation
36
    public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
37
    public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
38
    public boolean containsContext(HttpServletRequest request);
39
}
40
```
41


42
### Request Attribute Repository
43


44
Stores security contexts in request attributes for stateless scenarios.
45


46
```java { .api }
47
public final class RequestAttributeSecurityContextRepository implements SecurityContextRepository {
48
    // Constructor
49
    public RequestAttributeSecurityContextRepository();
50
    
51
    // SecurityContextRepository implementation
52
    public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
53
    public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
54
    public boolean containsContext(HttpServletRequest request);
55
}
56
```
57


58
## Security Context Filters
59


60
### Security Context Holder Filter
61


62
The modern filter for managing security context lifecycle.
63


64
```java { .api }
65
public class SecurityContextHolderFilter extends GenericFilterBean {
66
    // Constructor
67
    public SecurityContextHolderFilter(SecurityContextRepository securityContextRepository);
68
    
69
    // Configuration
70
    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy);
71
    
72
    // Filter implementation
73
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
74
        throws IOException, ServletException;
75
}
76
```
77


78
### Usage Examples
79


80
```java
81
// Session-based security context
82
HttpSessionSecurityContextRepository sessionRepository = new HttpSessionSecurityContextRepository();
83
sessionRepository.setAllowSessionCreation(true);
84
sessionRepository.setDisableUrlRewriting(true);
85


86
SecurityContextHolderFilter filter = new SecurityContextHolderFilter(sessionRepository);
87


88
// Stateless security context (for APIs)
89
RequestAttributeSecurityContextRepository statelessRepository = 
90
    new RequestAttributeSecurityContextRepository();
91
SecurityContextHolderFilter statelessFilter = new SecurityContextHolderFilter(statelessRepository);
92


93
// Delegating repository (tries multiple strategies)
94
List<SecurityContextRepository> repositories = Arrays.asList(
95
    new RequestAttributeSecurityContextRepository(),
96
    new HttpSessionSecurityContextRepository()
97
);
98
DelegatingSecurityContextRepository delegating = new DelegatingSecurityContextRepository(repositories);
99
SecurityContextHolderFilter delegatingFilter = new SecurityContextHolderFilter(delegating);
100
```
101


102
## Additional Repository Implementations
103


104
### Delegating Repository
105


106
Tries multiple repositories in order.
107


108
```java { .api }
109
public final class DelegatingSecurityContextRepository implements SecurityContextRepository {
110
    // Constructor
111
    public DelegatingSecurityContextRepository(SecurityContextRepository... delegates);
112
    public DelegatingSecurityContextRepository(List<SecurityContextRepository> delegates);
113
    
114
    // SecurityContextRepository implementation
115
    public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
116
    public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
117
    public boolean containsContext(HttpServletRequest request);
118
}
119
```
120


121
### Null Repository
122


123
No-operation repository for stateless applications.
124


125
```java { .api }
126
public final class NullSecurityContextRepository implements SecurityContextRepository {
127
    // SecurityContextRepository implementation
128
    public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
129
    public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
130
    public boolean containsContext(HttpServletRequest request);
131
}
132
```