SecurityContextHolder

About

SecurityContextHolder is a utility class in Spring Security that provides access to the SecurityContext. It is responsible for storing and retrieving authentication details of the currently authenticated user. It plays a important role in Spring Security’s authentication and authorization process by maintaining security information throughout the lifecycle of a request.

Why is SecurityContextHolder Important?

  • Centralized access to security details – Provides access to the currently authenticated user from anywhere in the application.

  • Manages security context per thread – Ensures thread-local storage of authentication details.

  • Facilitates method-level security – Used to enforce role-based access.

  • Allows customization of storage strategies – Supports different ways to store security context data.

SecurityContextHolder Class Overview

The SecurityContextHolder class is a final class that provides static methods for managing the security context.

public final class SecurityContextHolder {
    public static SecurityContext getContext();
    public static void setContext(SecurityContext context);
    public static void clearContext();
    public static void setStrategyName(String strategyName);
}

Method

Purpose

getContext()

Retrieves the current SecurityContext.

setContext(SecurityContext context)

Manually sets the security context.

clearContext()

Clears authentication details (used on logout).

setStrategyName(String strategyName)

Changes the storage strategy (default is ThreadLocal)

SecurityContext Storage Strategies

Spring Security provides three different strategies for storing SecurityContext:

Strategy

Description

Usage

ThreadLocal (Default)

Stores SecurityContext in the current thread.

Default strategy, used in web apps.

InheritableThreadLocal

Allows child threads to inherit SecurityContext.

Useful for async processing.

Global (Shared Context)

A single SecurityContext shared across all threads.

Not recommended due to security risks.

Changing SecurityContext Strategy

We can change the default ThreadLocal storage to MODE_INHERITABLETHREADLOCAL:

SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);

Clearing SecurityContext on Logout

To clear the security context on logout, we can use:

SecurityContextHolder.clearContext();

  • Prevents unauthorized access after logout

How to Use SecurityContextHolder

1. Accessing SecurityContext in Controllers

Spring Security provides SecurityContextHolder to retrieve authentication details.

@GetMapping("/user-info")
public ResponseEntity<String> getUserInfo() {
    Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
    String username = authentication.getName();
    return ResponseEntity.ok("Authenticated User: " + username);
}

  • Retrieves the currently logged-in user's username.

  • authentication.getAuthorities() can be used to fetch roles/permissions.

2. Accessing SecurityContext in Services

If we need user details inside a service layer:

@Service
public class UserService {
    public String getCurrentUsername() {
        return SecurityContextHolder.getContext().getAuthentication().getName();
    }
}

  • Ensures authentication details are available throughout the request lifecycle.

3. Setting SecurityContext Manually

If we need to set authentication manually (e.g., for programmatic login):

UsernamePasswordAuthenticationToken auth =
    new UsernamePasswordAuthenticationToken("user", null, List.of(new SimpleGrantedAuthority("ROLE_USER")));

SecurityContextHolder.getContext().setAuthentication(auth);

  • This is useful for custom authentication mechanisms.

SecurityContextHolder Configuration in Spring Boot

Spring Boot 2 – SecurityContext Configuration

Before Spring Security 5.7+, configurations were done via WebSecurityConfigurerAdapter:

@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .and()
            .logout().logoutSuccessHandler((req, res, auth) -> SecurityContextHolder.clearContext());
    }
}

  • Uses SecurityContextHolder.clearContext() on logout.

Spring Boot 3 – SecurityContext Configuration

Spring Boot 3 removes WebSecurityConfigurerAdapter and uses bean-based configuration:

@Configuration
@EnableWebSecurity
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.authorizeHttpRequests(auth -> auth.anyRequest().authenticated())
            .formLogin(Customizer.withDefaults())
            .logout(logout -> logout.logoutSuccessHandler((req, res, auth) -> SecurityContextHolder.clearContext()));
        return http.build();
    }
}

  • Uses lambda-based DSL for cleaner security configuration.

PreviousSecurityContextNextGrantedAuthority

Last updated

Was this helpful?