As you already know, this filter is responsible for SecurityContext persistence between requests. Let's see how it works internally by checking the class diagram shown in the following figure:
As you can see, the filter holds a reference to an instance of HttpSessionSecurityContextRepository, which implements the SecurityContextRepository interface. The filter also uses SecurityContextHolder to set up SecurityContext as well as clear it out. The SecurityContext implementation, SecurityContextImpl, holds an instance of Authentication.
In an unauthenticated request, SecurityContextRepository contains no SecurityContext object for that request. SecurityContext that this filter puts into SecurityContextHolder is an empty one, as authentication inside that SecurityContext object is null, as shown in the following figure:
It is only after a successful authentication that authentication inside the SecurityContext will be updated to an Authentication object that contains the information of the user who just logged in. This filter will save SecurityContext into HttpSession. In the following requests, SecurityContextPersistenceFilter will load SecurityContext from the repository and put it into SecurityContextHolder.