Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default to SecurityContextHolderFilter instead of SecurityContextPersistenceFilter #11110

Closed
rwinch opened this issue Apr 15, 2022 · 2 comments
Closed

Default to SecurityContextHolderFilter instead of SecurityContextPersistenceFilter #11110

rwinch opened this issue Apr 15, 2022 · 2 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Milestone
6.0.0-M4

Comments

@rwinch
Copy link
Member

rwinch commented Apr 15, 2022

Default to using SecurityContextHolderFilter instead of SecurityContextPersistenceFilter. This means that explicit saving of the SecurityContext is necessary rather than automatic saving of the SecurityContextHolder to the SecurityContextRepository.
@rwinch rwinch added in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement type: breaks-passivity A change that breaks passivity with the previous release labels Apr 15, 2022
@rwinch rwinch added this to the 6.0.0-M4 milestone Apr 15, 2022
@rwinch rwinch self-assigned this Apr 15, 2022
@rwinch rwinch closed this as completed in e79b6b3 Apr 15, 2022
@craigmit
Copy link

I was upgrading from spring security 5 to 6 with a custom UsernamePasswordAuthenticationFilter, and the authentication was happening, but nothing was being allowed through. I think it was due to this change, as when I added:

http.securityContext((securityContext) -> securityContext.requireExplicitSave(false))

to my filter chain, everything started working again.

@skylarsutton
Copy link

I was upgrading from spring security 5 to 6 with a custom UsernamePasswordAuthenticationFilter, and the authentication was happening, but nothing was being allowed through. I think it was due to this change, as when I added:

http.securityContext((securityContext) -> securityContext.requireExplicitSave(false))

to my filter chain, everything started working again.

The migration documentation is not clear on this, but if your CustomAuthenticationFilter extends spring's AbstractPreAuthenticatedProcessingFilter, you will want to inject the SecurityContextRepository.

e.g.

public class FooAuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {

    public FooAuthenticationFilter(AuthenticationManager authenticationManager, AuthenticationDetailsSource<HttpServletRequest, ?> authenticationDetailsSource, SecurityContextRepository securityContextRepository) {
        super();
        super.setAuthenticationManager(authenticationManager);
        super.setAuthenticationDetailsSource(authenticationDetailsSource);
        super.setSecurityContextRepository(securityContextRepository);
    }

    ...

}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: breaks-passivity A change that breaks passivity with the previous release type: enhancement A general enhancement
Projects
None yet
Milestone
6.0.0-M4
Development

No branches or pull requests
3 participants
@rwinch @skylarsutton @craigmit