SecurityContextHolder

About

SecurityContextHolder is a utility class in Spring Security that provides access to the SecurityContext. It is responsible for storing and retrieving authentication details of the currently authenticated user. It plays a important role in Spring Security’s authentication and authorization process by maintaining security information throughout the lifecycle of a request.

Why is SecurityContextHolder Important?

• Centralized access to security details – Provides access to the currently authenticated user from anywhere in the application.

• Manages security context per thread – Ensures thread-local storage of authentication details.

• Facilitates method-level security – Used to enforce role-based access.

• Allows customization of storage strategies – Supports different ways to store security context data.

SecurityContextHolder Class Overview

The SecurityContextHolder class is a final class that provides static methods for managing the security context.

public final class SecurityContextHolder {
    public static SecurityContext getContext();
    public static void setContext(SecurityContext context);
    public static void clearContext();
    public static void setStrategyName(String strategyName);
}

SecurityContext Storage Strategies

Spring Security provides three different strategies for storing SecurityContext:

Changing SecurityContext Strategy

We can change the default ThreadLocal storage to MODE_INHERITABLETHREADLOCAL:

SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);

Clearing SecurityContext on Logout

To clear the security context on logout, we can use:

SecurityContextHolder.clearContext();

• Prevents unauthorized access after logout

How to Use SecurityContextHolder

1. Accessing SecurityContext in Controllers

Spring Security provides SecurityContextHolder to retrieve authentication details.

@GetMapping("/user-info")
public ResponseEntity<String> getUserInfo() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    String username = authentication.getName();
    return ResponseEntity.ok("Authenticated User: " + username);
}

• Retrieves the currently logged-in user's username.

• authentication.getAuthorities() can be used to fetch roles/permissions.

2. Accessing SecurityContext in Services

If we need user details inside a service layer:

@Service
public class UserService {
    public String getCurrentUsername() {
        return SecurityContextHolder.getContext().getAuthentication().getName();
    }
}

• Ensures authentication details are available throughout the request lifecycle.

3. Setting SecurityContext Manually

If we need to set authentication manually (e.g., for programmatic login):

UsernamePasswordAuthenticationToken auth =
    new UsernamePasswordAuthenticationToken("user", null, List.of(new SimpleGrantedAuthority("ROLE_USER")));

SecurityContextHolder.getContext().setAuthentication(auth);

• This is useful for custom authentication mechanisms.

SecurityContextHolder Configuration in Spring Boot

Spring Boot 2 – SecurityContext Configuration

Before Spring Security 5.7+, configurations were done via WebSecurityConfigurerAdapter:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .and()
            .logout().logoutSuccessHandler((req, res, auth) -> SecurityContextHolder.clearContext());
    }
}

• Uses SecurityContextHolder.clearContext() on logout.

Spring Boot 3 – SecurityContext Configuration

Spring Boot 3 removes WebSecurityConfigurerAdapter and uses bean-based configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
            .formLogin(Customizer.withDefaults())
            .logout(logout -> logout.logoutSuccessHandler((req, res, auth) -> SecurityContextHolder.clearContext()));
        return http.build();
    }
}

• Uses lambda-based DSL for cleaner security configuration.