I mis-read another piece of guidance and realized that the correct way of handling this is the following:
1) Manually set the Authentication token on SecurityContextHolder
UsernamePasswordWithAttributesAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken( loadUserByUsername(username), password, authorities );
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
2) Do Not render a page at this point or use the forward: directive. You must use the redirect: directive.
return "redirect:/accountcreated";
If you render a page the page will load fine, but the session object will be lost because a new j_session_id will be created but will not make it to the browser mid-request and the next request will use the old j_session_id, loosing the new session object & authetication.
Using the forward: directive will bypass the authentication filters, no good.
But redirect: causes the updated session information to make it to the browser.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…