|  | @@ -3,49 +3,7 @@
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  Once you have got an application that is xref:servlet/authentication/index.adoc[authenticating requests], it is important to consider how that resulting authentication will be persisted and restored on future requests.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -This is done automatically by default, so no additional code is necessary, though there are some steps you should consider. The first is setting the `requireExplicitSave` property in `HttpSecurity`.
 | 
	
		
			
				|  |  | -You can do it like so:
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  | -====
 | 
	
		
			
				|  |  | -.Java
 | 
	
		
			
				|  |  | -[source,java,role="primary"]
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -@Bean
 | 
	
		
			
				|  |  | -public SecurityFilterChain filterChain(HttpSecurity http) {
 | 
	
		
			
				|  |  | -    http
 | 
	
		
			
				|  |  | -        // ...
 | 
	
		
			
				|  |  | -        .securityContext((context) -> context
 | 
	
		
			
				|  |  | -            .requireExplicitSave(true)
 | 
	
		
			
				|  |  | -        );
 | 
	
		
			
				|  |  | -    return http.build();
 | 
	
		
			
				|  |  | -}
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  | -.Kotlin
 | 
	
		
			
				|  |  | -[source,kotlin,role="secondary"]
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -@Bean
 | 
	
		
			
				|  |  | -open fun filterChain(http: HttpSecurity): SecurityFilterChain {
 | 
	
		
			
				|  |  | -    http {
 | 
	
		
			
				|  |  | -        // ...
 | 
	
		
			
				|  |  | -        securityContext {
 | 
	
		
			
				|  |  | -            requireExplicitSave = true
 | 
	
		
			
				|  |  | -        }
 | 
	
		
			
				|  |  | -    }
 | 
	
		
			
				|  |  | -    return http.build()
 | 
	
		
			
				|  |  | -}
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  | -.XML
 | 
	
		
			
				|  |  | -[source,xml,role="secondary"]
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -<http security-context-explicit-save="true">
 | 
	
		
			
				|  |  | -    <!-- ... -->
 | 
	
		
			
				|  |  | -</http>
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -====
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  | -The most straightforward reason for this is that it is xref:migration/servlet/session-management.adoc#_require_explicit_saving_of_securitycontextrepository[becoming the default value in 6.0], so this will make sure you are ready for that.
 | 
	
		
			
				|  |  | +This is done automatically by default, so no additional code is necessary, though it is important to know what `requireExplicitSave` means in `HttpSecurity`.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  If you like, <<how-it-works-requireexplicitsave,you can read more about what requireExplicitSave is doing>> or <<requireexplicitsave,why it's important>>. Otherwise, in most cases you are done with this section.
 | 
	
		
			
				|  |  |  
 | 
	
	
		
			
				|  | @@ -96,51 +54,9 @@ The problem with this is that it means that in a typical setup, the `HttpSession
 | 
	
		
			
				|  |  |  In Spring Security 6, the default is that authentication mechanisms themselves must invoke the `SessionAuthenticationStrategy`.
 | 
	
		
			
				|  |  |  This means that there is no need to detect when `Authentication` is done and thus the `HttpSession` does not need to be read for every request.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -To opt into the new Spring Security 6 default, the following configuration should be used.
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  | -.Require Explicit `SessionAuthenticationStrategy` Invocation
 | 
	
		
			
				|  |  | -====
 | 
	
		
			
				|  |  | -.Java
 | 
	
		
			
				|  |  | -[source,java,role="primary"]
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -@Bean
 | 
	
		
			
				|  |  | -SecurityFilterChain springSecurity(HttpSecurity http) throws Exception {
 | 
	
		
			
				|  |  | -    http
 | 
	
		
			
				|  |  | -        // ...
 | 
	
		
			
				|  |  | -        .sessionManagement((sessions) -> sessions
 | 
	
		
			
				|  |  | -            .requireExplicitAuthenticationStrategy(true)
 | 
	
		
			
				|  |  | -        );
 | 
	
		
			
				|  |  | -    return http.build();
 | 
	
		
			
				|  |  | -}
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  | -.Kotlin
 | 
	
		
			
				|  |  | -[source,kotlin,role="secondary"]
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -@Bean
 | 
	
		
			
				|  |  | -open fun springSecurity(http: HttpSecurity): SecurityFilterChain {
 | 
	
		
			
				|  |  | -    http {
 | 
	
		
			
				|  |  | -        sessionManagement {
 | 
	
		
			
				|  |  | -            requireExplicitAuthenticationStrategy = true
 | 
	
		
			
				|  |  | -        }
 | 
	
		
			
				|  |  | -    }
 | 
	
		
			
				|  |  | -    return http.build()
 | 
	
		
			
				|  |  | -}
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  | -.XML
 | 
	
		
			
				|  |  | -[source,xml,role="secondary"]
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -<http>
 | 
	
		
			
				|  |  | -    <!-- ... -->
 | 
	
		
			
				|  |  | -    <session-management authentication-strategy-explicit-invocation="true"/>
 | 
	
		
			
				|  |  | -</http>
 | 
	
		
			
				|  |  | -----
 | 
	
		
			
				|  |  | -====
 | 
	
		
			
				|  |  | -
 | 
	
		
			
				|  |  |  ==== Things To Consider When Moving Away From `SessionManagementFilter`
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -When `requireExplicitAuthenticationStrategy = true`, it means that the `SessionManagementFilter` will not be used, therefore, some methods from the `sessionManagement` DSL will not have any effect.
 | 
	
		
			
				|  |  | +In Spring Security 6, the `SessionManagementFilter` is not used by default, therefore, some methods from the `sessionManagement` DSL will not have any effect.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  |===
 | 
	
		
			
				|  |  |  |Method |Replacement
 | 
	
	
		
			
				|  | @@ -155,7 +71,7 @@ When `requireExplicitAuthenticationStrategy = true`, it means that the `SessionM
 | 
	
		
			
				|  |  |  |Configure an `SessionAuthenticationStrategy` in your authentication mechanism as <<moving-away-from-sessionmanagementfilter,discussed above>>
 | 
	
		
			
				|  |  |  |===
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  | -In Spring Security 6, if you try to use any of these methods when `requireExplicitAuthenticationStrategy = true` (the default), an exception will be thrown.
 | 
	
		
			
				|  |  | +If you try to use any of these methods, an exception will be thrown.
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  
 | 
	
		
			
				|  |  |  [[customizing-where-authentication-is-stored]]
 | 
	
	
		
			
				|  | @@ -186,7 +102,6 @@ public SecurityFilterChain filterChain(HttpSecurity http) {
 | 
	
		
			
				|  |  |      http
 | 
	
		
			
				|  |  |          // ...
 | 
	
		
			
				|  |  |          .securityContext((context) -> context
 | 
	
		
			
				|  |  | -            .requireExplicitSave(true)
 | 
	
		
			
				|  |  |              .securityContextRepository(repo)
 | 
	
		
			
				|  |  |          );
 | 
	
		
			
				|  |  |      return http.build();
 | 
	
	
		
			
				|  | @@ -202,7 +117,6 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain {
 | 
	
		
			
				|  |  |      http {
 | 
	
		
			
				|  |  |          // ...
 | 
	
		
			
				|  |  |          securityContext {
 | 
	
		
			
				|  |  | -            requireExplicitSave = true
 | 
	
		
			
				|  |  |              securityContextRepository = repo
 | 
	
		
			
				|  |  |          }
 | 
	
		
			
				|  |  |      }
 | 
	
	
		
			
				|  | @@ -213,7 +127,7 @@ open fun filterChain(http: HttpSecurity): SecurityFilterChain {
 | 
	
		
			
				|  |  |  .XML
 | 
	
		
			
				|  |  |  [source,xml,role="secondary"]
 | 
	
		
			
				|  |  |  ----
 | 
	
		
			
				|  |  | -<http security-context-explicit-save="true" security-context-repository-ref="repo">
 | 
	
		
			
				|  |  | +<http security-context-repository-ref="repo">
 | 
	
		
			
				|  |  |      <!-- ... -->
 | 
	
		
			
				|  |  |  </http>
 | 
	
		
			
				|  |  |  <bean name="repo" class="com.example.MyCustomSecurityContextRepository" />
 |