Spring Security Default use of RequestAttributeSecurityContextRepository instead of NullSecurityContextRepository

Rather than totally ignoring saving the SecurityContext we should place it on the request as a request attribute to ensure that other dispatch types work properly.

Related gh-10918

Comment From: akovalyev

How to use RequestAttributeSecurityContextRepository if it doesn't create SecurityContextHolder.createEmptyContext() because RequestAttributeSecurityContextRepository#loadContext(HttpServletRequest) is called instead of loadContext(HttpRequestResponseHolder); and an exception will be thrown if the SecurityContextHolderFilter calls SecurityContextHolder.setContext(null): "Only non-null SecurityContext instances are allowed"?

Expect loadContext(HttpServletRequest) to return SecurityContextHolder.createEmptyContext() if request.getAttribute() == null

Reproduced at https://github.com/spring-projects/spring-security/releases/tag/5.7.1

Comment From: marcusdacoregio

Hi @akovalyev, I think that your scenario is a bug, I create this ticket to track that.