Paul Pavlidis (Migrated from SEC-1313) said:
As far as I can tell you cannot set this using namespace config, in order to do so you must use the 'old' explicit bean configuration.
As an aside, I'm not sure we're using this appropriately; we're having an issue related to http://forum.springsource.org/showthread.php?t=47213, where nulling of the Authentication during anonymous HttpRequest cycle yields a race condition in a thread that needs the Authentication. Using removeAfterRequest fixes this but not sure if that's optimal.
(The suggestion there to use cloneFromHttpSession is out-of-date as HttpSessionContextIntegrationFilter is deprecated.)
Luke Taylor said:
The "removeAfterRequest" property should probably itself be removed. It's original purpose was to prevent the HttpSessionContextIntegrationFilter from storing the context with an anonymous token in it. This doesn't necessarily work in practice, since the context may be saved during a redirect or a sendError (see SEC-776). Additional checks were added (now in HttpSessionSecurityContextRepository) which prevent an anonymous token from being saved, so the original problem that this property was introduced to solve no longer exists.
It's certainly not something that should be added to the namespace, which is not intended to expose such low-level implementation details. I'd suggest that we just remove it altogether. As explained above, it no longer does what it was intended to and having an extra parameter which affects the context contents is just adding more complication. If we remove it then that should solve your problem.
Superseded by SEC-1316.