Skip to content

Add Support for Explicitly Saving SecurityContext #10949

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
3 tasks done
rwinch opened this issue Mar 9, 2022 · 0 comments
Closed
3 tasks done

Add Support for Explicitly Saving SecurityContext #10949

rwinch opened this issue Mar 9, 2022 · 0 comments
Assignees
@rwinch
Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Milestone
5.7.0-RC1

Comments

@rwinch
Copy link
Member

rwinch commented Mar 9, 2022
edited
Loading

We should remove SecurityContextPersistenceFilter in favor of explicit saves to the SecurityContextRepository. This will provide lots of benefits:

  • There will be no confusion when the SecurityContext should be saved.
    • Currently, the code must diff the SecurityContext before and after to determine if it needs to be saved.
      • This requires loading the SecurityContext up front to see what the current value is which means force reads of the HttpSession
      • This requires complicated diff logic
    • Currently we must do our best to determine when a response is committed and then determine if the SecurityContext should be saved or not before the user gets the response back so that if another request is made the SecurityContext is present if it should be and so that the session cookie can be written to the response (if necessary)
  • Different types of authentication can save (or not save) the SecurityContext differently. If there are multiple types of authentication in a single application it is often desirable to only persist the SecurityContext when specific types of authentication occur. For example, if form login and http basic are both enabled, it may be desirable to only persist form login and require basic authentication on every request.
  • This would align with how WebFlux works

Related issues:
@rwinch rwinch added status: waiting-for-triage An issue we've not yet triaged type: enhancement A general enhancement labels Mar 9, 2022
@rwinch rwinch added this to the 5.7.0-M3 milestone Mar 9, 2022
@rwinch rwinch added in: web An issue in web modules (web, webmvc) and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 9, 2022
@rwinch rwinch self-assigned this Mar 9, 2022
rwinch added a commit that referenced this issue Mar 9, 2022
@rwinch
Add SecurityContextRepository to all Authentication Filters
d2f24ae 
Closes gh-10949
@rwinch rwinch closed this as completed in 28c7a4b Mar 9, 2022
@rwinch rwinch reopened this Mar 9, 2022
@marcusdacoregio marcusdacoregio modified the milestones: 5.7.0-M3, 5.7.0-RC1 Mar 21, 2022
@rwinch rwinch closed this as completed Apr 18, 2022
@buckett buckett mentioned this issue Sep 29, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rwinch rwinch

Labels
in: web An issue in web modules (web, webmvc) type: enhancement A general enhancement
Projects
None yet
Milestone
5.7.0-RC1
Development

No branches or pull requests
2 participants
@rwinch @marcusdacoregio