Transient authentication checks since 5.7.x lead to missing authentication in HttpSession attributes

[jawherallani]

PR: https://github.com/spring-projects/spring-security/pull/9993

This breaks my app when I switched from 5.6.6 to 5.7, as JwtAuthenticationToken which has @transient is being used.

the regular flow with 5.6.6:

• request A (websocket handshake) is fired, no http session yet, it fails and will retry
• api request B includes a bearer token in the headers, JwtAuthenticationToken authentication takes place and is then used to attach the SecurityContext on the http session as SPRING_SECURITY_CONTEXT attribute.
• request A, being retried, uses the http session to get the SecurityContext that was just saved and so is authenticated.

This flow breaks because of the isTransient method now.

Is there something wrong with this flow? and why should @Transient Authentication be prevented from saving? Any suggestions?

Originally posted by @jawherallani in https://github.com/spring-projects/spring-security/issues/9993#issuecomment-1198246483