Closed armorcodehemant closed 5 months ago
Hi, @armorcodehemant. Since Spring Security 6.0 you must save the SecurityContext
manually by calling the SecurityContextRepository
, please see https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#requireexplicitsave.
It seems that there is multiple things going on as you are mentioning both Spring Security and Spring Session APIs. If you really think it is a bug after reading the docs I linked above, can you please provide a minimal, reproducible sample, where ideally you are using only Spring Security so we can verify the behavior?
@marcusdacoregio I am using securityContext.requireExplicitSave(false) So it should set up SecurityContextPersistenceFilter if so it should have worked with out manually saving the context
Can you please provide a reproducible sample?
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.
I have a URI that updates authenticated user's context now when user only calls this URI it is working as expected but when 2-3 other APIs are called followed by this URI it does not update the Context
this same use case was working when we were on Spring Boot 2.x.x with which we have used Spring Security 5.x.x with Redis this problem started coming after we move to Spring Boot 3.2.x with Spring Security 6.2.3 with Redis
my security context setting
I tried to set securityContext.requireExplicitSave(true); with this setting I have manually update the context Using org.springframework.security.web.context.SecurityContextRepository.saveContext(req,res,auth) and also tried Changing FLUSH_MODE to IMMEDIATE in @EnableRedisIndexedHttpSession from ON_SAVE both did not worked.
any specific change i need to take care with updated Spring security or this is expected behaviour