spring-projects
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java
Lines changed: 0 additions & 30 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/authentication/builders/AuthenticationManagerBuilder.java
Lines changed: 0 additions & 30 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java
Lines changed: 0 additions & 2 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/authentication/configuration/AuthenticationConfiguration.java
Lines changed: 0 additions & 2 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
Lines changed: 0 additions & 1 deletion b/‎config/src/main/java/org/springframework/security/config/annotation/method/configuration/GlobalMethodSecurityConfiguration.java
Lines changed: 0 additions & 1 deletion
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java
Lines changed: 0 additions & 2 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/configuration/HttpSecurityConfiguration.java
Lines changed: 0 additions & 2 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
Lines changed: 2 additions & 4 deletions b/‎config/src/main/java/org/springframework/security/config/annotation/web/configurers/WebAuthnConfigurer.java
Lines changed: 2 additions & 4 deletions
diff --git a/‎config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerFactoryBean.java
Lines changed: 0 additions & 6 deletions b/‎config/src/main/java/org/springframework/security/config/authentication/AuthenticationManagerFactoryBean.java
Lines changed: 0 additions & 6 deletions
diff --git a/‎core/src/main/java/org/springframework/security/authentication/AbstractAuthenticationToken.java
Lines changed: 2 additions & 0 deletions b/‎core/src/main/java/org/springframework/security/authentication/AbstractAuthenticationToken.java
Lines changed: 2 additions & 0 deletions
diff --git a/‎core/src/main/java/org/springframework/security/authentication/DelegatingReactiveAuthenticationManager.java
Lines changed: 0 additions & 15 deletions b/‎core/src/main/java/org/springframework/security/authentication/DelegatingReactiveAuthenticationManager.java
Lines changed: 0 additions & 15 deletions
diff --git a/‎core/src/main/java/org/springframework/security/authentication/ProviderManager.java
Lines changed: 3 additions & 30 deletions b/‎core/src/main/java/org/springframework/security/authentication/ProviderManager.java
Lines changed: 3 additions & 30 deletions
diff --git a/‎core/src/test/java/org/springframework/security/authentication/DelegatingReactiveAuthenticationManagerTests.java
Lines changed: 0 additions & 21 deletions b/‎core/src/test/java/org/springframework/security/authentication/DelegatingReactiveAuthenticationManagerTests.java
Lines changed: 0 additions & 21 deletions
@@ -18,14 +18,10 @@
 
 import java.util.ArrayList;
 import java.util.List;
-import java.util.stream.Stream;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-import org.jspecify.annotations.Nullable;
 
-import org.springframework.beans.factory.BeanFactory;
-import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.security.authentication.AuthenticationEventPublisher;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
@@ -41,8 +37,6 @@
 import org.springframework.security.config.annotation.authentication.configurers.userdetails.DaoAuthenticationConfigurer;
 import org.springframework.security.config.annotation.authentication.configurers.userdetails.UserDetailsAwareConfigurer;
 import org.springframework.security.core.Authentication;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.util.Assert;
 
@@ -241,10 +235,6 @@ protected ProviderManager performBuild() throws Exception {
 		if (this.eventPublisher != null) {
 			providerManager.setAuthenticationEventPublisher(this.eventPublisher);
 		}
-		SecurityContextHolderStrategy securityContextHolderStrategy = getBeanProvider(
-				SecurityContextHolderStrategy.class)
-			.getIfUnique(SecurityContextHolder::getContextHolderStrategy);
-		providerManager.setSecurityContextHolderStrategy(securityContextHolderStrategy);
 		providerManager = postProcess(providerManager);
 		return providerManager;
 	}
@@ -293,24 +283,4 @@ public UserDetailsService getDefaultUserDetailsService() {
 		return configurer;
 	}
 
-	private <C> ObjectProvider<C> getBeanProvider(Class<C> clazz) {
-		BeanFactory beanFactory = getSharedObject(BeanFactory.class);
-		return (beanFactory != null) ? beanFactory.getBeanProvider(clazz) : new SingleObjectProvider<>(null);
-	}
-
-	private static final class SingleObjectProvider<O> implements ObjectProvider<O> {
-
-		private final @Nullable O object;
-
-		private SingleObjectProvider(@Nullable O object) {
-			this.object = object;
-		}
-
-		@Override
-		public Stream<O> stream() {
-			return Stream.ofNullable(this.object);
-		}
-
-	}
-
 }
@@ -27,7 +27,6 @@
 
 import org.springframework.aop.framework.ProxyFactoryBean;
 import org.springframework.aop.target.LazyInitTargetSource;
-import org.springframework.beans.factory.BeanFactory;
 import org.springframework.beans.factory.BeanFactoryUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
@@ -84,7 +83,6 @@ public AuthenticationManagerBuilder authenticationManagerBuilder(ObjectPostProce
 		AuthenticationEventPublisher authenticationEventPublisher = getAuthenticationEventPublisher(context);
 		DefaultPasswordEncoderAuthenticationManagerBuilder result = new DefaultPasswordEncoderAuthenticationManagerBuilder(
 				objectPostProcessor, defaultPasswordEncoder);
-		result.setSharedObject(BeanFactory.class, this.applicationContext);
 		if (authenticationEventPublisher != null) {
 			result.authenticationEventPublisher(authenticationEventPublisher);
 		}
 
@@ -318,7 +318,6 @@ protected AuthenticationManager authenticationManager() throws Exception {
 				.postProcess(new DefaultAuthenticationEventPublisher());
 			this.auth = new AuthenticationManagerBuilder(this.objectPostProcessor);
 			this.auth.authenticationEventPublisher(eventPublisher);
-			this.auth.setSharedObject(BeanFactory.class, this.context);
 			configure(this.auth);
 			this.authenticationManager = (this.disableAuthenticationRegistry)
 					? getAuthenticationConfiguration().getAuthenticationManager() : this.auth.build();
 
@@ -21,7 +21,6 @@
 import java.util.List;
 import java.util.Map;
 
-import org.springframework.beans.factory.BeanFactory;
 import org.springframework.beans.factory.ObjectProvider;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.context.ApplicationContext;
@@ -117,7 +116,6 @@ HttpSecurity httpSecurity() throws Exception {
 		LazyPasswordEncoder passwordEncoder = new LazyPasswordEncoder(this.context);
 		AuthenticationManagerBuilder authenticationBuilder = new DefaultPasswordEncoderAuthenticationManagerBuilder(
 				this.objectPostProcessor, passwordEncoder);
-		authenticationBuilder.setSharedObject(BeanFactory.class, this.context);
 		authenticationBuilder.parentAuthenticationManager(authenticationManager());
 		authenticationBuilder.authenticationEventPublisher(getAuthenticationEventPublisher());
 		HttpSecurity http = new HttpSecurity(this.objectPostProcessor, authenticationBuilder, createSharedObjects());
 
@@ -162,10 +162,8 @@ public void configure(H http) throws Exception {
 		WebAuthnRelyingPartyOperations rpOperations = webAuthnRelyingPartyOperations(userEntities, userCredentials);
 		PublicKeyCredentialCreationOptionsRepository creationOptionsRepository = creationOptionsRepository();
 		WebAuthnAuthenticationFilter webAuthnAuthnFilter = new WebAuthnAuthenticationFilter();
-		ProviderManager manager = new ProviderManager(
-				new WebAuthnAuthenticationProvider(rpOperations, userDetailsService));
-		manager.setSecurityContextHolderStrategy(getSecurityContextHolderStrategy());
-		webAuthnAuthnFilter.setAuthenticationManager(manager);
+		webAuthnAuthnFilter.setAuthenticationManager(
+				new ProviderManager(new WebAuthnAuthenticationProvider(rpOperations, userDetailsService)));
 		WebAuthnRegistrationFilter webAuthnRegistrationFilter = new WebAuthnRegistrationFilter(userCredentials,
 				rpOperations);
 		PublicKeyCredentialCreationOptionsFilter creationOptionsFilter = new PublicKeyCredentialCreationOptionsFilter(
 
@@ -30,8 +30,6 @@
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.BeanIds;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.security.core.userdetails.UserDetailsService;
 import org.springframework.security.crypto.password.PasswordEncoder;
 
@@ -74,10 +72,6 @@ public AuthenticationManager getObject() throws Exception {
 			}
 			provider.afterPropertiesSet();
 			ProviderManager manager = new ProviderManager(Arrays.asList(provider));
-			SecurityContextHolderStrategy securityContextHolderStrategy = this.bf
-				.getBeanProvider(SecurityContextHolderStrategy.class)
-				.getIfUnique(SecurityContextHolder::getContextHolderStrategy);
-			manager.setSecurityContextHolderStrategy(securityContextHolderStrategy);
 			if (this.observationRegistry.isNoop()) {
 				return manager;
 			}
 
@@ -16,6 +16,7 @@
 
 package org.springframework.security.authentication;
 
+import java.io.Serial;
 import java.security.Principal;
 import java.util.ArrayList;
 import java.util.Collection;
@@ -43,6 +44,7 @@
  */
 public abstract class AbstractAuthenticationToken implements Authentication, CredentialsContainer {
 
+	@Serial
 	private static final long serialVersionUID = -3194696462184782834L;
 
 	private final Collection<GrantedAuthority> authorities;
 
@@ -27,7 +27,6 @@
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.util.Assert;
 
 /**
@@ -58,20 +57,6 @@ public DelegatingReactiveAuthenticationManager(List<ReactiveAuthenticationManage
 
 	@Override
 	public Mono<Authentication> authenticate(Authentication authentication) {
-		return ReactiveSecurityContextHolder.getContext().flatMap((context) -> {
-			Mono<Authentication> result = doAuthenticate(authentication);
-			Authentication current = context.getAuthentication();
-			if (current == null) {
-				return result;
-			}
-			if (!current.isAuthenticated()) {
-				return result;
-			}
-			return doAuthenticate(current).map((r) -> r.toBuilder().apply(current).build());
-		}).switchIfEmpty(doAuthenticate(authentication));
-	}
-
-	private Mono<Authentication> doAuthenticate(Authentication authentication) {
 		Flux<ReactiveAuthenticationManager> result = Flux.fromIterable(this.delegates);
 		Function<ReactiveAuthenticationManager, Mono<Authentication>> logging = (m) -> m.authenticate(authentication)
 			.doOnError(AuthenticationException.class, (ex) -> ex.setAuthenticationRequest(authentication))
 
@@ -33,8 +33,6 @@
 import org.springframework.security.core.AuthenticationException;
 import org.springframework.security.core.CredentialsContainer;
 import org.springframework.security.core.SpringSecurityMessageSource;
-import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.core.context.SecurityContextHolderStrategy;
 import org.springframework.util.Assert;
 import org.springframework.util.CollectionUtils;
 
@@ -94,9 +92,6 @@ public class ProviderManager implements AuthenticationManager, MessageSourceAwar
 
 	private static final Log logger = LogFactory.getLog(ProviderManager.class);
 
-	private SecurityContextHolderStrategy securityContextHolderStrategy = SecurityContextHolder
-		.getContextHolderStrategy();
-
 	private AuthenticationEventPublisher eventPublisher = new NullEventPublisher();
 
 	private List<AuthenticationProvider> providers = Collections.emptyList();
@@ -187,7 +182,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
 			try {
 				result = provider.authenticate(authentication);
 				if (result != null) {
-					copyDetails(authentication, result);
+					result = copyDetails(authentication, result);
 					break;
 				}
 			}
@@ -214,7 +209,6 @@ public Authentication authenticate(Authentication authentication) throws Authent
 				lastException = ex;
 			}
 		}
-		result = applyPreviousAuthentication(result);
 		if (result == null && this.parent != null) {
 			// Allow the parent to try.
 			try {
@@ -271,20 +265,6 @@ public Authentication authenticate(Authentication authentication) throws Authent
 		throw lastException;
 	}
 
-	private @Nullable Authentication applyPreviousAuthentication(@Nullable Authentication result) {
-		if (result == null) {
-			return null;
-		}
-		Authentication current = this.securityContextHolderStrategy.getContext().getAuthentication();
-		if (current == null) {
-			return result;
-		}
-		if (!current.isAuthenticated()) {
-			return result;
-		}
-		return result.toBuilder().apply(current).build();
-	}
-
 	@SuppressWarnings("deprecation")
 	private void prepareException(AuthenticationException ex, Authentication auth) {
 		ex.setAuthenticationRequest(auth);
@@ -297,21 +277,14 @@ private void prepareException(AuthenticationException ex, Authentication auth) {
 	 * @param source source authentication
 	 * @param dest the destination authentication object
 	 */
-	private void copyDetails(Authentication source, Authentication dest) {
-		if ((dest instanceof AbstractAuthenticationToken token) && (dest.getDetails() == null)) {
-			token.setDetails(source.getDetails());
-		}
+	private Authentication copyDetails(Authentication source, Authentication dest) {
+		return (dest.getDetails() != null) ? dest : dest.toBuilder().details(source.getDetails()).build();
 	}
 
 	public List<AuthenticationProvider> getProviders() {
 		return this.providers;
 	}
 
-	public void setSecurityContextHolderStrategy(SecurityContextHolderStrategy securityContextHolderStrategy) {
-		Assert.notNull(securityContextHolderStrategy, "securityContextHolderStrategy cannot be null");
-		this.securityContextHolderStrategy = securityContextHolderStrategy;
-	}
-
 	@Override
 	public void setMessageSource(MessageSource messageSource) {
 		this.messages = new MessageSourceAccessor(messageSource);
 
@@ -27,13 +27,10 @@
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.AuthenticationException;
-import org.springframework.security.core.GrantedAuthority;
-import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.BDDMockito.given;
-import static org.mockito.Mockito.mock;
 
 /**
  * @author Rob Winch
@@ -121,24 +118,6 @@ void whenAccountStatusExceptionThenAuthenticationRequestIsIncluded() {
 		assertThat(expected.getAuthenticationRequest()).isEqualTo(this.authentication);
 	}
 
-	@Test
-	void authenticateWhenPreviousAuthenticationThenApplies() {
-		Authentication factorOne = new TestingAuthenticationToken("user", "pass", "FACTOR_ONE");
-		Authentication factorTwo = new TestingAuthenticationToken("user", "pass", "FACTOR_TWO");
-		ReactiveAuthenticationManager provider = mock(ReactiveAuthenticationManager.class);
-		given(provider.authenticate(any())).willReturn(Mono.just(factorTwo));
-		ReactiveAuthenticationManager manager = new DelegatingReactiveAuthenticationManager(provider);
-		Authentication request = new TestingAuthenticationToken("user", "password");
-		StepVerifier
-			.create(manager.authenticate(request)
-				.flatMapIterable(Authentication::getAuthorities)
-				.map(GrantedAuthority::getAuthority)
-				.contextWrite(ReactiveSecurityContextHolder.withAuthentication(factorOne)))
-			.expectNext("FACTOR_TWO")
-			.expectNext("FACTOR_ONE")
-			.verifyComplete();
-	}
-
 	private DelegatingReactiveAuthenticationManager managerWithContinueOnError() {
 		DelegatingReactiveAuthenticationManager manager = new DelegatingReactiveAuthenticationManager(this.delegate1,
 				this.delegate2);