Spring Security Transient authentication checks since 5.7.x lead to missing authentication in HttpSession attributes

PR: https://github.com/spring-projects/spring-security/pull/9993

This breaks my app when I switched from 5.6.6 to 5.7, as JwtAuthenticationToken which has @transient is being used.

the regular flow with 5.6.6: - request A (websocket handshake) is fired, no http session yet, it fails and will retry - api request B includes a bearer token in the headers, JwtAuthenticationToken authentication takes place and is then used to attach the SecurityContext on the http session as SPRING_SECURITY_CONTEXT attribute. - request A, being retried, uses the http session to get the SecurityContext that was just saved and so is authenticated.

This flow breaks because of the isTransient method now.

Is there something wrong with this flow? and why should @Transient Authentication be prevented from saving? Any suggestions?

Originally posted by @jawherallani in https://github.com/spring-projects/spring-security/issues/9993#issuecomment-1198246483

Comment From: jzheaux

Good question, @jawherallani. The @Transient annotation prevents authentications from being stored across requests. Given that, the session won't get created since nothing is getting added.

uses the http session to get the SecurityContext that was just saved

This contradicts the purpose of @Transient. Authentications that use this annotation are not saved.

In case my answer does not suffice, it feels like further investigation would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.