Possible misconfiguration of SecurityContextRepository

Open mbhave opened this issue 3 years ago • 1 comments

The default SecurityContextRepository for stateless applications is now RequestAttributeSecurityContextRepository. However, SecurityContextConfigurer sets the SecurityContextRepository to HttpSessionSecurityContextRepository if it isn't already set as a shared object. This results in the context being saved by the RequestAttributeSecurityContextRepository but loaded from HttpSessionSecurityContextRepository for an error dispatch.

Oct 14 '22 00:10 mbhave

Changes related to this issue included in 5.8.0-RC1:

Add DeferredSecurityContext interface
Add loadDeferredContext(request) in SecurityContextRepository
Deprecate loadContext(request) in SecurityContextRepository
Add DelegatingSecurityContextRepository

Related gh-11026

Oct 15 '22 18:10 sjohnr