SecurityContext will be cloned from the HttpSession. The default is to simply reference (ie the default is 'false'. The default may cause issues if concurrent threads need to have a different security identity from other threads being concurrently processed that share the same HttpSession. In most normal environments this does not represent an issue, as changes to the security identity in one thread is allowed to affect the security identitiy in other threads associated with the same 'HttpSession'. ]]>