From 5d53e3e99fa8cc7cb82c14a57f8ffa80d942f589 Mon Sep 17 00:00:00 2001 From: Mark Putsiata Date: Wed, 23 Apr 2025 22:39:22 +0300 Subject: [PATCH] Improve AbstractPreAuthenticatedProcessingFilter docs Clarify misleading SecurityContextRepository setter documentation. Note that AbstractPreAuthenticatedProcessingFilter saves the SecurityContext upon successful authentication, and this behavior can be customized via the setSecurityContextRepository setter. Closes gh-14137 Signed-off-by: Mark Putsiata --- .../AbstractPreAuthenticatedProcessingFilter.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java index fb09d39e5d..21c7f95f64 100755 --- a/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java +++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/AbstractPreAuthenticatedProcessingFilter.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2022 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -79,6 +79,10 @@ * raised by the AuthenticationManager will the be re-thrown. Note that this will * not affect cases where the principal returned by {@link #getPreAuthenticatedPrincipal} * is null, when the chain will still proceed as normal. + *

+ * The filter saves the {@link SecurityContext} using the configured + * {@link SecurityContextRepository}, which can be set via + * {@link #setSecurityContextRepository}. * * @author Luke Taylor * @author Ruud Senden @@ -253,8 +257,8 @@ public void setApplicationEventPublisher(ApplicationEventPublisher anApplication /** * Sets the {@link SecurityContextRepository} to save the {@link SecurityContext} on - * authentication success. The default action is not to save the - * {@link SecurityContext}. + * authentication success. The default action is to save the {@link SecurityContext} + * in {@link HttpSession} using {@link HttpSessionSecurityContextRepository}. * @param securityContextRepository the {@link SecurityContextRepository} to use. * Cannot be null. */