Expected Behavior The Authentication is set on the SecurityContextHolder. Later, if you need to save SecurityContext , SecurityContextRepository#saveContext must be explicitly invoked.See the SecurityContextHolderFilter class.

Current Behavior The Authentication is set on the SecurityContextHolder. Later, the SecurityContextPersistenceFilter saves the SecurityContext to the HttpSession. See the SecurityContextPersistenceFilter class.

link to related pages

Comment From: sjohnr

Thanks @wiketool! Let me know if you are interested in submitting a PR.

Comment From: wiketool

Thanks @wiketool! Let me know if you are interested in submitting a PR.

Thank you @sjohnr ! I feel very proud to become a contributor Spring Security. I have made a pr in #12747.