Spring 安全性 - 何时清除 SecurityContextHolder

我有一个控制器，我正在从该控制器返回用户信息：

@RequestMapping(method = RequestMethod.GET)
Object getUserInfo() {
return SecurityContextHolder.getContext().getAuthentication().getPrincipal();
}

我使用OncePerRequestFilter创建了基于令牌的自定义身份验证：

package gbyf;
import gbyf.token.Token;
import gbyf.token.TokenRepository;
import gbyf.user.User;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class TokenAuthenticationFilter extends OncePerRequestFilter {
private final TokenRepository tokenRepository;
TokenAuthenticationFilter(TokenRepository tokenRepository) {
this.tokenRepository = tokenRepository;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws ServletException, IOException {
String tokenString = request.getHeader("token");
if(tokenString == null) {
// user is not authenticated, continue to filter
chain.doFilter(request, response);
return;
}
Token token = tokenRepository.findTokenByTokenValue(tokenString);
if(token == null) {
System.out.println("=====doFilterInternal()==== token is null, not authenticated");
} else {
System.out.println("=====doFilterInternal()==== token is NOT null");
User user = token.getUser();
if(user != null) {
Authentication auth = new UsernamePasswordAuthenticationToken(user, null, user.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(auth);
System.out.println("=====doFilterInternal()==== authenticated user");
}
}
super.doFilter(request, response, chain);
}
}

当我发送在数据库中找到的正确令牌参数时，它会正确验证用户。但是，对于另一个wrong令牌请求，服务器仍会发送旧用户身份验证主体。安全上下文持有者不应该在请求完成后刷新身份验证详细信息。

可能是什么问题？