Is required SecurityContextHolder in JWT Authentication App?

Question

I'm developing application in Spring Boot and I need jwt authentication there. I decide to use that github project, but when I'm looking at code I don't understand sense of SecurityContextHolder.

Here are 2 classes which are using it:

AuthenticationRestController.java

JwtAuthenticationTokenFilter.java

Can you tell me what is purpose of SecurityContextHolder? I want stateless authentication without session. So I just need generate jwt and next check it before requests.

This git project also has disable session:

...
httpSeccurity.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
...

I've tried delete code with SecurityContextHolder and applicatin still works fine.

Thanks for answers.

Answer 1

Here is a quote from Learning Spring 5.0:

One major aspect of security is storing the information of the principal currently used by the application. It is held by the security context of the application. SecurityContextHolder is the most important object of the framework as it stores the details about security context in ThreadLocal. It means the security context will be available to the methods that are executed in the same thread. However, in a few circumstances, all the threads in the application may need to use other strategies for using the security context. The framework provides two ways to change the default nature of using ThreadLocal. The developers can either set the system property or they can invoke the static method on SecurityContextHolder.

The reason your application still works after deleting code with SecurityContextHolder is that by using the SessionCreationPolicy.STATELESS creation policy you request Spring Security to not create an HTTP session and not store logged in user’s SecurityContext in the session.

When to use SessionCreationPolicy.STATELESS

• to stop creating sessions during the entire lifespan of the application

• to stop using sessions during the entire lifespan of the application