I've been experiencing some very strange issues with the spring security integration. I suspect its due to synchronization problems either within spring-flex, spring-mvc or tomcat on session handling level.

The issue occurs for the following use case:
1) call ChannelSet.login() with valid user credentials
2) within the callback provided to login(), call a remote object that will return granted authorities and other details for the just logged in user
3) validate the the requested user details were provided through the remote object call

Unfortunately step 3 will fail in most (but not all cases), because SecurityContextHolder.getContext().getAuthentication() will return null as for Authentication. This happens although login was called successfully.

var token:AsyncToken = _channelSet.login(user, password);
token.addResponder(new AsyncResponder(function(result:Object, token:Object):void {
  service.whoami(); <--- SecurityContext.getAuthentication() will still return null at this point
}, function(result:Object, token:Object):void {
  trace("Login failed");
}));
            

I've attached a minimal flex builder project for this case that should allow you to confirm this issue. The libraries are consistent with the latest test-drive project.