Possible misconfiguration of SecurityContextRepository

[mbhave]

The default SecurityContextRepository for stateless applications is now RequestAttributeSecurityContextRepository. However, SecurityContextConfigurer sets the SecurityContextRepository to HttpSessionSecurityContextRepository if it isn't already set as a shared object. This results in the context being saved by the RequestAttributeSecurityContextRepository but loaded from HttpSessionSecurityContextRepository for an error dispatch.

[sjohnr]

Changes related to this issue included in 5.8.0-RC1:

• Add DeferredSecurityContext interface
• Add loadDeferredContext(request) in SecurityContextRepository
• Deprecate loadContext(request) in SecurityContextRepository
• Add DelegatingSecurityContextRepository

Related gh-11026