Spring Security HttpSecurityContextRepository saves @Transient Authentication if HttpSession already exists

If an HttpSession already exists, then HttpSecurityContextRepository will save @Transient Authentication but should not. An example test:

@Test
public void saveContextWhenTransientAuthenticationAndSessionExistsThenSkipped() {
    HttpSessionSecurityContextRepository repo = new HttpSessionSecurityContextRepository();
    MockHttpServletRequest request = new MockHttpServletRequest();
    request.getSession(); // ensure the session exists
    MockHttpServletResponse response = new MockHttpServletResponse();
    HttpRequestResponseHolder holder = new HttpRequestResponseHolder(request, response);
    SecurityContext context = repo.loadContext(holder);
    SomeTransientAuthentication authentication = new SomeTransientAuthentication();
    context.setAuthentication(authentication);
    repo.saveContext(context, holder.getRequest(), holder.getResponse());
    MockHttpSession session = (MockHttpSession) request.getSession(false);
    assertThat(Collections.list(session.getAttributeNames())).isEmpty();
}

Comment From: rwinch

Closing in favor of gh-9993