You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I think we should not use HttpSessionSecurityContextRepository as default repository mainly if the security filter chain can be explicitly configured as stateless
IN the version 5.7 inside AbstractPreAuthenticatedProcessingFilter we had a NullSecurityContextRepository and the comment for the setter of the repository is : 'The default action is not to save the SecurityContext'.
In the version 6.0 the repository is a HttpSessionSecurityContextRepository by default but the comment of the setter of the repository still says 'The default action is not to save the SecurityContext.'
Our configuration for the security chain contains
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
but I see that a SessionFaçade is created to store the security context.
Of course, we can explicitly set the repository, but I wonder if the behavior in the 6.0 version is the desired one and which are the arguments of using the HttpSessionSecurityContextRepository .
Thanks in advance
The text was updated successfully, but these errors were encountered:
More concretely, the fact that it used to use NullSecurityContextRepository was misleading because previously the SecurityContext would get saved using HttpSessionSecurityContextRepository automatically with the SecurityContextPersistenceFilter.
When gh-11786 was resolved, it meant that any authentication needed to be persisted in the Authentication Filter. This means that to preserve the previous behavior, we needed to update AbstractPreAuthenticatedProcessingFIlter to use HttpSessionSecurityContextRepository.
I think we should not use HttpSessionSecurityContextRepository as default repository mainly if the security filter chain can be explicitly configured as stateless
IN the version 5.7 inside AbstractPreAuthenticatedProcessingFilter we had a NullSecurityContextRepository and the comment for the setter of the repository is : 'The default action is not to save the SecurityContext'.
In the version 6.0 the repository is a HttpSessionSecurityContextRepository by default but the comment of the setter of the repository still says 'The default action is not to save the SecurityContext.'
Our configuration for the security chain contains
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
but I see that a SessionFaçade is created to store the security context.
Of course, we can explicitly set the repository, but I wonder if the behavior in the 6.0 version is the desired one and which are the arguments of using the HttpSessionSecurityContextRepository .
Thanks in advance
The text was updated successfully, but these errors were encountered: