The default SecurityContextRepository for stateless applications is now RequestAttributeSecurityContextRepository. However, SecurityContextConfigurer sets the SecurityContextRepository to HttpSessionSecurityContextRepository if it isn't already set as a shared object. This results in the context being saved by the RequestAttributeSecurityContextRepository but loaded from HttpSessionSecurityContextRepository for an error dispatch.
Comment From: sjohnr
Changes related to this issue included in 5.8.0-RC1:
- Add
DeferredSecurityContextinterface - Add
loadDeferredContext(request)inSecurityContextRepository - Deprecate
loadContext(request)inSecurityContextRepository - Add
DelegatingSecurityContextRepository
Related gh-11026