|
|
@@ -114,6 +114,72 @@ public SecurityFilterChain filterChain(HttpSecurity http) {
|
|
|
----
|
|
|
====
|
|
|
|
|
|
+[[delegatingsecuritycontextrepository]]
|
|
|
+=== DelegatingSecurityContextRepository
|
|
|
+
|
|
|
+The {security-api-url}org/springframework/security/web/context/DelegatingSecurityContextRepository.html[`DelegatingSecurityContextRepository`] saves the `SecurityContext` to multiple `SecurityContextRepository` delegates and allows retrieval from any of the delegates in a specified order.
|
|
|
+
|
|
|
+The most useful arrangement for this is configured with the following example, which allows the use of both xref:requestattributesecuritycontextrepository[`RequestAttributeSecurityContextRepository`] and xref:httpsecuritycontextrepository[`HttpSessionSecurityContextRepository`] simultaneously.
|
|
|
+
|
|
|
+.Configure DelegatingSecurityContextRepository
|
|
|
+====
|
|
|
+.Java
|
|
|
+[source,java,role="primary"]
|
|
|
+----
|
|
|
+@Bean
|
|
|
+public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
|
|
|
+ http
|
|
|
+ // ...
|
|
|
+ .securityContext((securityContext) -> securityContext
|
|
|
+ .securityContextRepository(new DelegatingSecurityContextRepository(
|
|
|
+ new RequestAttributeSecurityContextRepository(),
|
|
|
+ new HttpSessionSecurityContextRepository()
|
|
|
+ ))
|
|
|
+ );
|
|
|
+ return http.build();
|
|
|
+}
|
|
|
+----
|
|
|
+
|
|
|
+.Kotlin
|
|
|
+[source,kotlin,role="secondary"]
|
|
|
+----
|
|
|
+@Bean
|
|
|
+fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
|
|
|
+ http {
|
|
|
+ // ...
|
|
|
+ securityContext {
|
|
|
+ securityContextRepository = DelegatingSecurityContextRepository(
|
|
|
+ RequestAttributeSecurityContextRepository(),
|
|
|
+ HttpSessionSecurityContextRepository()
|
|
|
+ )
|
|
|
+ }
|
|
|
+ }
|
|
|
+ return http.build()
|
|
|
+}
|
|
|
+----
|
|
|
+
|
|
|
+.XML
|
|
|
+[source,xml,role="secondary"]
|
|
|
+----
|
|
|
+<http security-context-repository-ref="contextRepository">
|
|
|
+ <!-- ... -->
|
|
|
+</http>
|
|
|
+<bean name="contextRepository"
|
|
|
+ class="org.springframework.security.web.context.DelegatingSecurityContextRepository">
|
|
|
+ <constructor-arg>
|
|
|
+ <bean class="org.springframework.security.web.context.RequestAttributeSecurityContextRepository" />
|
|
|
+ </constructor-arg>
|
|
|
+ <constructor-arg>
|
|
|
+ <bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository" />
|
|
|
+ </constructor-arg>
|
|
|
+</bean>
|
|
|
+----
|
|
|
+====
|
|
|
+
|
|
|
+[NOTE]
|
|
|
+====
|
|
|
+In Spring Security 6, the example shown above is the default configuration.
|
|
|
+====
|
|
|
|
|
|
[[securitycontextpersistencefilter]]
|
|
|
== SecurityContextPersistenceFilter
|
Steve Riesenberg