Spring security : Preauthentication

Consider a webapp that has been pre-authenticated by an external system, and the authenticated user id is send via request headers. A UserService is invoked to load a custom UserDetails object from the app database. Want to know if the UserService will be invoked every time a request hits the application or only when SecurityContext doesn't have an Authentication object. Won't it be a performance hit if the UserService is called every time the request is passed via filters.

Only the first time to "login. Once that is done the Authentication object is in the SecurityContext, and the ServletFilter that was responsible for doing that has done its job and won't need to do it again, and therefore do nothing more.

Mark