答案可能在

The answer could be in the description of the create-session attribute:

• never-Spring Security永远不会创建会话，但如果应用程序创建会话，则会使用一个会话.
• stateless-Spring Security将不会创建会话，并且会忽略该会话以获取Spring身份验证.

• never - Spring Security will never create a session, but will make use of one if the application does.
• stateless - Spring Security will not create a session and ignore the session for obtaining a Spring Authentication.

由于您选择了stateless，因此在忽略表单登录后，auth对象将保留在会话中.尝试never是否按预期工作.

Since you chose stateless the auth object persisted in the session after the form-login is ignored. Try if never works as you expect.