Fix the problem of logging in successfully even if request not permitted

[JohnNiang]

What type of PR is this?

/kind bug
/area core

What this PR does / why we need it:

This is a bug introduced from #4062. I have overridden onAuthenticationSuccess to create rate limiter in advance instead of invoking securityContextRepository#save before.

See #4099 (comment) for more.

Special notes for your reviewer:

1. Try to log in with incorrect password three times
2. Log in with correct password and check if the response headers contain Set-Cookie

Does this PR introduce a user-facing change?

None

[codecov]

Codecov Report

Merging #4101 (c5ef019) into main (2fd9cbd) will increase coverage by 0.00%.
The diff coverage is 55.55%.

@@            Coverage Diff            @@
##               main    #4101   +/-   ##
=========================================
  Coverage     60.22%   60.23%           
  Complexity     2385     2385           
=========================================
  Files           357      357           
  Lines         12392    12397    +5     
  Branches        892      892           
=========================================
+ Hits           7463     7467    +4     
- Misses         4492     4493    +1     
  Partials        437      437           

Impacted Files	Coverage Δ
...ntication/login/UsernamePasswordAuthenticator.java	37.89% <55.55%> (+2.33%)	⬆️

[guqing]

nice work🎉

/approve

[ruibaby]

/lgtm

[f2c-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: guqing, ruibaby

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [guqing,ruibaby]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment