Is required SecurityContextHolder in JWT Authentication App?

Question

I'm developing application in Spring Boot and I need jwt authentication there. I decide to use that github project, but when I'm looking at code I don't understand sense of SecurityContextHolder.

Here are 2 classes which are using it:

AuthenticationRestController.java

JwtAuthenticationTokenFilter.java

Can you tell me what is purpose of SecurityContextHolder? I want stateless authentication without session. So I just need generate jwt and next check it before requests.

This git project also has disable session:

...
httpSeccurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
...

I've tried delete code with SecurityContextHolder and applicatin still works fine.

Thanks for answers.

I suggest you take a look at the official spring security jwt project, `spring-security-jwt` — secondbreakfast, Feb 02 '18 at 13:14
Oops, yea you are correct it isn't it's own project, oops. it is part of the `spring-security-oauth2` project. Is there any reason you don't want to use oauth2? It is highly customizable — secondbreakfast, Feb 02 '18 at 14:10

Boris · Answer 1 · 2018-02-02T12:13:53.647

Here is a quote from Learning Spring 5.0:

One major aspect of security is storing the information of the principal currently used by the application. It is held by the security context of the application. SecurityContextHolder is the most important object of the framework as it stores the details about security context in ThreadLocal. It means the security context will be available to the methods that are executed in the same thread. However, in a few circumstances, all the threads in the application may need to use other strategies for using the security context. The framework provides two ways to change the default nature of using ThreadLocal. The developers can either set the system property or they can invoke the static method on SecurityContextHolder.

The reason your application still works after deleting code with SecurityContextHolder is that by using the SessionCreationPolicy.STATELESS creation policy you request Spring Security to not create an HTTP session and not store logged in user’s SecurityContext in the session.

When to use SessionCreationPolicy.STATELESS

to stop creating sessions during the entire lifespan of the application
to stop using sessions during the entire lifespan of the application

So in my case I can keep deleted because is useless, right? – Denis Stephanov Feb 02 '18 at 12:05 — Denis Stephanov, Feb 02 '18 at 12:05
Yes, if the intention is to stop creating/using sessions. – Boris Feb 02 '18 at 12:14 — Boris, Feb 02 '18 at 12:14

Is required SecurityContextHolder in JWT Authentication App?

1 Answers1