Default Require Explicit Save SecurityContext

Closes gh-11762

web/src/main/java/org/springframework/security/web/servletapi/HttpServlet3RequestFactory.java

@@ -45,6 +45,7 @@ import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 
@@ -92,8 +93,11 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory {
 
 	private List<LogoutHandler> logoutHandlers;
 
-	HttpServlet3RequestFactory(String rolePrefix) {
+	private SecurityContextRepository securityContextRepository;
+
+	HttpServlet3RequestFactory(String rolePrefix, SecurityContextRepository securityContextRepository) {
 		this.rolePrefix = rolePrefix;
+		this.securityContextRepository = securityContextRepository;
 	}
 
 	/**
@@ -244,6 +248,7 @@ final class HttpServlet3RequestFactory implements HttpServletRequestFactory {
 					.createEmptyContext();
 			context.setAuthentication(authentication);
 			HttpServlet3RequestFactory.this.securityContextHolderStrategy.setContext(context);
+			HttpServlet3RequestFactory.this.securityContextRepository.saveContext(context, this, this.response);
 		}
 
 		private Authentication getAuthentication(AuthenticationManager authManager, String username, String password)

web/src/main/java/org/springframework/security/web/servletapi/SecurityContextHolderAwareRequestFilter.java

@@ -35,6 +35,8 @@ import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.web.AuthenticationEntryPoint;
 import org.springframework.security.web.authentication.logout.LogoutHandler;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextRepository;
 import org.springframework.util.Assert;
 import org.springframework.web.filter.GenericFilterBean;
 
@@ -84,6 +86,18 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 
 	private AuthenticationTrustResolver trustResolver = new AuthenticationTrustResolverImpl();
 
+	private SecurityContextRepository securityContextRepository = new HttpSessionSecurityContextRepository();
+
+	/**
+	 * Sets the {@link SecurityContextRepository} to use. The default is to use {@link HttpSessionSecurityContextRepository}.
+	 * @param securityContextRepository the {@link SecurityContextRepository} to use.
+	 * @since 6.0
+	 */
+	public void setSecurityContextRepository(SecurityContextRepository securityContextRepository) {
+		Assert.notNull(securityContextRepository, "securityContextRepository cannot be null");
+		this.securityContextRepository = securityContextRepository;
+	}
+
 	/**
 	 * Sets the {@link SecurityContextHolderStrategy} to use. The default action is to use
 	 * the {@link SecurityContextHolderStrategy} stored in {@link SecurityContextHolder}.
@@ -188,7 +202,7 @@ public class SecurityContextHolderAwareRequestFilter extends GenericFilterBean {
 	}
 
 	private HttpServletRequestFactory createServlet3Factory(String rolePrefix) {
-		HttpServlet3RequestFactory factory = new HttpServlet3RequestFactory(rolePrefix);
+		HttpServlet3RequestFactory factory = new HttpServlet3RequestFactory(rolePrefix, this.securityContextRepository);
 		factory.setTrustResolver(this.trustResolver);
 		factory.setAuthenticationEntryPoint(this.authenticationEntryPoint);
 		factory.setAuthenticationManager(this.authenticationManager);