SpringSessionRememberMeServices does not use RememberMeAuthenticationToken

[OrangeDog]

Describe the bug If a security context has been created via a "remember me" mechanism rather than fresh credentials, this should be expressed via a RememberMeAuthenticationToken. This is required so that assertions such as fullyAuthenticated() work correctly.

To Reproduce Spring Boot application with the following config:

@Bean 
public SecurityFilterChain securityFilterChain(HttpSecurity http) {
    return http.securityMatcher("/**")
        .formLogin(config -> config.permitAll())
        .rememberMe(config -> config.rememberMeServices(new SpringSessionRememberMeServices())
        .authorizeHttpRequests(authorize -> authorize
            .requestMatchers("/sensitive").fullyAuthenticated()
            .anyRequest().authenticated()
        ).build();
}

1. Start server and browser
2. Login to application with "remember me" selected
3. Visit /sensitive
4. Restart browser
5. Visit /sensitive

Expected behavior Accessing /sensitive should trigger a login flow, as with the default .rememberMe() behaviour.

Additional context Due to the implementation of just extending the current session, there is no way to tell whether the user has entered their credentials in the current browser session or not.

If "wontfix", then there should at least be a big warning somewhere that this breaks fullyAuthenticated().