Sep 26th, 2012, 10:55 AM
How does SecurityContextHolder work (tracking authenticated users)?
I'm digging through this code but don't understand how this magically works. We're using the default strategy of THREAD_LOCAL which internally uses a ThreadLocalSecurityContextHolderStrategy object. Inside this class I see the ThreadLocal variable for the SecurityContext and while I understand the concept of thread local, I don't understand how two different users hitting the same web application are guaranteed to get their own (and only/just their own) SecurityContext (and thus Authentication and GrantedAuthorities). It's confusing because the call to get the SecurityContext is static. Is there some map or registry backing store?
Can someone please explain this magic?
Tags for this Thread