Closed
Description
The default SecurityContextRepository for stateless applications is now RequestAttributeSecurityContextRepository. However, SecurityContextConfigurer sets the SecurityContextRepository to HttpSessionSecurityContextRepository if it isn't already set as a shared object. This results in the context being saved by the RequestAttributeSecurityContextRepository but loaded from HttpSessionSecurityContextRepository for an error dispatch.