HttpSessionSecurityContextRepository used for AbstractPreAuthenticatedProcessingFilter

[cristibozga]

I think we should not use HttpSessionSecurityContextRepository as default repository mainly if the security filter chain can be explicitly configured as stateless

IN the version 5.7 inside AbstractPreAuthenticatedProcessingFilter we had a NullSecurityContextRepository and the comment for the setter of the repository is : 'The default action is not to save the SecurityContext'.
In the version 6.0 the repository is a HttpSessionSecurityContextRepository by default but the comment of the setter of the repository still says 'The default action is not to save the SecurityContext.'
Our configuration for the security chain contains
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
but I see that a SessionFaçade is created to store the security context.

Of course, we can explicitly set the repository, but I wonder if the behavior in the 6.0 version is the desired one and which are the arguments of using the HttpSessionSecurityContextRepository .

Thanks in advance

[marcusdacoregio]

Hi, @cristibozga. That was a result of #11763.

More concretely, the fact that it used to use NullSecurityContextRepository was misleading because previously the SecurityContext would get saved using HttpSessionSecurityContextRepository automatically with the SecurityContextPersistenceFilter.
When gh-11786 was resolved, it meant that any authentication needed to be persisted in the Authentication Filter. This means that to preserve the previous behavior, we needed to update AbstractPreAuthenticatedProcessingFIlter to use HttpSessionSecurityContextRepository.