Spring Security After upgrade to spring boot 3.0.0-M5, TestingAuthenticationToken and UsernamePasswordAuthenticationToken not work the same as spring boot 2.7.3

Describe the bug After upgrade to spring boot 3.0.0-M5, TestingAuthenticationToken and UsernamePasswordAuthenticationToken not work as the same as spring boot 2.7.3 To Reproduce

1. run the sample
2. goto http://127.0.0.1:8080/login you will see miku on page.
3. goto http://127.0.0.1:8080/who you will see anonymousUser on page

Expected behavior step 3: see miku on page

Sample the sample is really simple, just one class.

BTW. If I change build.gradle file id 'org.springframework.boot' version '3.0.0-M5' to org.springframework.boot' version '2.7.3, it works as expect.

repo: https://github.com/oldshensheep/shiny-octo-memory

@Configuration
@RestController
public class Yes {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeHttpRequests((authz) -> authz
                        .antMatchers("/**").permitAll()
                )
                .formLogin().disable();
        return http.build();
    }

    @GetMapping("/who")
    public String getName() {
        return SecurityContextHolder.getContext().getAuthentication().getName();
    }

    @GetMapping("/login")
    public String login() {
        var context = SecurityContextHolder.createEmptyContext();
        var authentication =
                new TestingAuthenticationToken("miku", "password", "ROLE_USER");
        context.setAuthentication(authentication);

        SecurityContextHolder.setContext(context);
        return SecurityContextHolder.getContext().getAuthentication().getName();
    }
}

Comment From: marcusdacoregio

Hi @oldshensheep, you are probably stepping into one of the default changes in 6.0, see #11762 and https://github.com/spring-projects/spring-security/issues/9635.

In order to achieve the same behavior you can either call your SecurityContextRepository#saveContext method or change your security configuration to:

@Configuration
@RestController
public class Yes {

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeHttpRequests((authz) -> authz
                        .antMatchers("/**").permitAll()
                )
                .securityContext((context) -> context
                        .requireExplicitSave(false)
                )
                .formLogin().disable();
        return http.build();
    }
    // ...
}

I'll go ahead and close this as it is behaving as expected.