In the documentation Storing the Authentication manually:
https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#store-authentication-manually, the line securityContextHolderStrategy.setContext(authentication); should be securityContextHolderStrategy.setContext(context);
Original snippet:
@PostMapping("/login")
public void login(@RequestBody LoginRequest loginRequest, HttpServletRequest request, HttpServletResponse response) {
UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(
loginRequest.getUsername(), loginRequest.getPassword());
Authentication authentication = authenticationManager.authenticate(token);
SecurityContext context = securityContextHolderStrategy.createEmptyContext();
context.setAuthentication(authentication);
securityContextHolderStrategy.setContext(authentication);
securityContextRepository.saveContext(context, request, response);
}
As per my understanding it should be:
@PostMapping("/login")
public void login(@RequestBody LoginRequest loginRequest, HttpServletRequest request, HttpServletResponse response) {
UsernamePasswordAuthenticationToken token = UsernamePasswordAuthenticationToken.unauthenticated(
loginRequest.getUsername(), loginRequest.getPassword());
Authentication authentication = authenticationManager.authenticate(token);
SecurityContext context = securityContextHolderStrategy.createEmptyContext();
context.setAuthentication(authentication);
securityContextHolderStrategy.setContext(context);
securityContextRepository.saveContext(context, request, response);
}
Comment From: marcusdacoregio
Hi @ghoshbishakh, nice catch.
Are you interested in submitting a PR that fixes the documentation? The PR should target the 5.8.x branch since this is the oldest supported branch that the problem happens.
Comment From: ghoshbishakh
@marcusdacoregio I opened a PR. Please forgive any mistakes as this is my first PR here. Thanks.