Skip to content

Fix defaults description in Session Management doc #18345

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sankranty wants to merge 1 commit into
base: main
Choose a base branch
from
+1 −1
Open

Fix defaults description in Session Management doc #18345

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/modules/ROOT/pages/servlet/authentication/session-management.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

Once you have got an application that is xref:servlet/authentication/index.adoc[authenticating requests], it is important to consider how that resulting authentication will be persisted and restored on future requests.

This is done automatically by default, so no additional code is necessary, though it is important to know what `requireExplicitSave` means in `HttpSecurity`.
Starting from Spring Security 6 security context is not persisted automatically by default, thus it is important to know what `requireExplicitSave` means in `HttpSecurity`.
Copy link
Contributor

@ronodhirSoumik ronodhirSoumik Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Starting from Spring Security 6,(add comma)

Copy link
Contributor

@jzheaux jzheaux Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this first sentence could possibly be clearer, it's not true that the security context is not persisted by default.

The important change from 5 to 6 was that the SecurityContextPersistenceFilter would not automatically attempt to save the security context for you. It is still true, though, that each Spring Security filter that interacts with the Security Context will persist it as needed (instead of all of them relying on one filter).

Perhaps the following:

This is done automatically by default. If you have a custom filter or controller that is setting the security context, you will need to use a `SecurityContextRepository` to persist it across requests.

If you are upgrading from an older version, you may be interested in the `requireExplicitSave` setting that preserves Spring Security 5's default, though note that this is primarily for migration purposes.


If you like, <<how-it-works-requireexplicitsave,you can read more about what requireExplicitSave is doing>> or <<requireexplicitsave,why it's important>>. Otherwise, in most cases you are done with this section.

Expand Down
Loading