Fix defaults description in Session Management doc #18345
+1
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Corrected that starting from Spring Security 6 security context is not automatically saved by default. Signed-off-by: sankranti <[email protected]>
spring-projects-issues
added
the
status: waiting-for-triage
| Once you have got an application that is xref:servlet/authentication/index.adoc[authenticating requests], it is important to consider how that resulting authentication will be persisted and restored on future requests. | ||
|
|
||
| This is done automatically by default, so no additional code is necessary, though it is important to know what `requireExplicitSave` means in `HttpSecurity`. | ||
| Starting from Spring Security 6 security context is not persisted automatically by default, thus it is important to know what `requireExplicitSave` means in `HttpSecurity`. |
Contributor
There was a problem hiding this comment.
Starting from Spring Security 6,(add comma)
jzheaux
requested changes
Jan 14, 2026
Contributor
jzheaux
left a comment
jzheaux
left a comment
There was a problem hiding this comment.
Hi, @sankranty, thanks for the PR. I agree that this could be clearer. I've left my suggestions inline.
| Once you have got an application that is xref:servlet/authentication/index.adoc[authenticating requests], it is important to consider how that resulting authentication will be persisted and restored on future requests. | ||
|
|
||
| This is done automatically by default, so no additional code is necessary, though it is important to know what `requireExplicitSave` means in `HttpSecurity`. | ||
| Starting from Spring Security 6 security context is not persisted automatically by default, thus it is important to know what `requireExplicitSave` means in `HttpSecurity`. |
Contributor
There was a problem hiding this comment.
While this first sentence could possibly be clearer, it's not true that the security context is not persisted by default.
The important change from 5 to 6 was that the SecurityContextPersistenceFilter would not automatically attempt to save the security context for you. It is still true, though, that each Spring Security filter that interacts with the Security Context will persist it as needed (instead of all of them relying on one filter).
Perhaps the following:
This is done automatically by default. If you have a custom filter or controller that is setting the security context, you will need to use a `SecurityContextRepository` to persist it across requests.
If you are upgrading from an older version, you may be interested in the `requireExplicitSave` setting that preserves Spring Security 5's default, though note that this is primarily for migration purposes.
jzheaux
added
in: docs
jzheaux
added
the
status: waiting-for-feedback
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Corrected that starting from Spring Security 6 security context is not automatically saved by default.