We should remove SecurityContextPersistenceFilter in favor of explicit saves to the SecurityContextRepository. This will provide lots of benefits:
- There will be no confusion when the SecurityContext should be saved
- Different types of authentication can save (or not save) the SecurityContext differently
- This would align with how WebFlux works
We would add a new Filter that only reads the SecurityContext and sets it on SecurityContextHolder. We should also consider providing a simplified API that doesn't involve needing to update the HttpRequestResponseHolder.
Comment From: rwinch
The defaults have been changed, but we will keep this around till Security 7.0.0-M1 to allow for reverting to the previous behavior for now.