CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/maven-org-springframework-security--spring-security-web

Spring Security Web module provides comprehensive web security features for Spring-based applications, including servlet-based authentication, authorization, CSRF protection, session management, and security filter chain implementation

Pending
Overview
Eval results
Files

security-context.mddocs/

Security Context Management

Spring Security Web's security context management provides thread-safe storage, persistence, and lifecycle management of security contexts across HTTP requests. It handles the loading, saving, and clearing of authentication information throughout request processing.

Core Security Context Components

Security Context Repository

The central interface for persisting security contexts.

public interface SecurityContextRepository {
    // Load security context for the request
    SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
    
    // Save security context after request processing
    void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
    
    // Check if a context exists for the request
    boolean containsContext(HttpServletRequest request);
}

HTTP Session Repository

Stores security contexts in the HTTP session.

public class HttpSessionSecurityContextRepository implements SecurityContextRepository {
    // Configuration methods
    public void setAllowSessionCreation(boolean allowSessionCreation);
    public void setDisableUrlRewriting(boolean disableUrlRewriting);
    public void setSpringSecurityContextKey(String springSecurityContextKey);
    public void setTrustResolver(AuthenticationTrustResolver trustResolver);
    
    // SecurityContextRepository implementation
    public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
    public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
    public boolean containsContext(HttpServletRequest request);
}

Request Attribute Repository

Stores security contexts in request attributes for stateless scenarios.

public final class RequestAttributeSecurityContextRepository implements SecurityContextRepository {
    // Constructor
    public RequestAttributeSecurityContextRepository();
    
    // SecurityContextRepository implementation
    public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
    public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
    public boolean containsContext(HttpServletRequest request);
}

Security Context Filters

Security Context Holder Filter

The modern filter for managing security context lifecycle.

public class SecurityContextHolderFilter extends GenericFilterBean {
    // Constructor
    public SecurityContextHolderFilter(SecurityContextRepository securityContextRepository);
    
    // Configuration
    public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy);
    
    // Filter implementation
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException;
}

Usage Examples

// Session-based security context
HttpSessionSecurityContextRepository sessionRepository = new HttpSessionSecurityContextRepository();
sessionRepository.setAllowSessionCreation(true);
sessionRepository.setDisableUrlRewriting(true);

SecurityContextHolderFilter filter = new SecurityContextHolderFilter(sessionRepository);

// Stateless security context (for APIs)
RequestAttributeSecurityContextRepository statelessRepository = 
    new RequestAttributeSecurityContextRepository();
SecurityContextHolderFilter statelessFilter = new SecurityContextHolderFilter(statelessRepository);

// Delegating repository (tries multiple strategies)
List<SecurityContextRepository> repositories = Arrays.asList(
    new RequestAttributeSecurityContextRepository(),
    new HttpSessionSecurityContextRepository()
);
DelegatingSecurityContextRepository delegating = new DelegatingSecurityContextRepository(repositories);
SecurityContextHolderFilter delegatingFilter = new SecurityContextHolderFilter(delegating);

Additional Repository Implementations

Delegating Repository

Tries multiple repositories in order.

public final class DelegatingSecurityContextRepository implements SecurityContextRepository {
    // Constructor
    public DelegatingSecurityContextRepository(SecurityContextRepository... delegates);
    public DelegatingSecurityContextRepository(List<SecurityContextRepository> delegates);
    
    // SecurityContextRepository implementation
    public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
    public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
    public boolean containsContext(HttpServletRequest request);
}

Null Repository

No-operation repository for stateless applications.

public final class NullSecurityContextRepository implements SecurityContextRepository {
    // SecurityContextRepository implementation
    public SecurityContext loadContext(HttpRequestResponseHolder requestResponseHolder);
    public void saveContext(SecurityContext context, HttpServletRequest request, HttpServletResponse response);
    public boolean containsContext(HttpServletRequest request);
}

Install with Tessl CLI

npx tessl i tessl/maven-org-springframework-security--spring-security-web

docs

access-control.md

authentication.md

csrf.md

filter-chain.md

firewall.md

index.md

reactive.md

security-context.md

session-management.md

utilities.md

tile.json