Spring Security Security Context is not updating

I have a URI that updates authenticated user's context now when user only calls this URI it is working as expected but when 2-3 other APIs are called followed by this URI it does not update the Context

this same use case was working when we were on Spring Boot 2.x.x with which we have used Spring Security 5.x.x with Redis this problem started coming after we move to Spring Boot 3.2.x with Spring Security 6.2.3 with Redis

my security context setting

        http.securityContext((securityContext) -> {
            securityContext.securityContextRepository(new HttpSessionSecurityContextRepository());
            securityContext.requireExplicitSave(false);
        });

public void setGlobalFilterConfig(GlobalFilterDto globalFilterDto) {
        SecurityContext context = SecurityContextHolder.getContext();
        LocalUser localUser = (LocalUser) context.getAuthentication().getPrincipal();
        Collection<GrantedAuthority> authorities = localUser.getAuthorities();
        localUser.getUser().setGlobalFilterDto(globalFilterDto);
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        Object principal = SecurityContextHolder.getContext().getAuthentication().getPrincipal();
        LocalUser localUser = (LocalUser) principal;
        localUser.setUser(user);
        Authentication newAuth = new UsernamePasswordAuthenticationToken(localUser,
                auth.getCredentials(),
                authorities);
        SecurityContextHolder.getContext().setAuthentication(newAuth);
    }

I tried to set securityContext.requireExplicitSave(true); with this setting I have manually update the context Using org.springframework.security.web.context.SecurityContextRepository.saveContext(req,res,auth) and also tried Changing FLUSH_MODE to IMMEDIATE in @EnableRedisIndexedHttpSession from ON_SAVE both did not worked.

any specific change i need to take care with updated Spring security or this is expected behaviour

Comment From: marcusdacoregio

Hi, @armorcodehemant. Since Spring Security 6.0 you must save the SecurityContext manually by calling the SecurityContextRepository, please see https://docs.spring.io/spring-security/reference/servlet/authentication/session-management.html#requireexplicitsave.

It seems that there is multiple things going on as you are mentioning both Spring Security and Spring Session APIs. If you really think it is a bug after reading the docs I linked above, can you please provide a minimal, reproducible sample, where ideally you are using only Spring Security so we can verify the behavior?

Comment From: armorcodehemant

@marcusdacoregio I am using securityContext.requireExplicitSave(false) So it should set up SecurityContextPersistenceFilter if so it should have worked with out manually saving the context

Comment From: marcusdacoregio

Can you please provide a reproducible sample?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.