I have been going through the Spring Security docs and been playing around with basic authentication projects. I am confused as to what is the use of deferred context in authentication?
I have gone through the javadocs of the class and tried to see the flow of authentication, but am unable to figure out its purpose.
This GitHub issue explains it best. To summarize:
A benefit is that if it takes some work to obtain the SecurityContext, the(n) it is only looked up if necessary.
For example, currently theSecurityContextis looked up from theHttpSessionfor every page. When using distributed sessions (i.e.Spring Session+Redis) this is a lot of unnecessary overhead for accessing public css, javascript, and images. With these changes Spring Security can avoid accessing theHttpSessionfor public resources like javascript, css, images, public html pages, etc.
AuthorizationManager may not need to access the SecurityContext to authenticate (e.g. public invocation was allowed), in this case having a Supplier helps to skip the work needed to obtain the SecurityContext.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With