Luke Taylor (Migrated from SEC-1528) said:
The current logic in HttpSessionSecurityContextRepository does not set the session attribute if it finds that the current thread-local context matches the value in the session. This works fine in a single JVM. However, in a cluster or cloud environment where requests for the same session may be handled in different JVMs, the changes must be propagated to other nodes and the setAttribute() call is required to achieve this.
Luke Taylor said:
The solution is probably to drop the logic from SEC-1307 which compares Cs and Ct entirely and rely on the specific checks on the context and authentication objects.
Fix implemented as described.
This issue is related to #1552