Changing authenticated user's granted role and authentication token in spring-security

I'm trying to change auth token in session.

Scenerio is;

An anonymouse user reaches the main page and an AnonymousAuthenticationToken saved to session with ROLE_ANONYMOUS granted authorities.. But when he/she wants to create an item, application forces him/her to login.After he logs in with his/her openId account i'm creating an OpenIDAuthenticationToken with ROLE_USER granted authorities and replace stored token with it. He/she can access with ROLE_USERto anywhere that allowed.

When he wants to log out i'm deleting token from context and it's ok.

BUT;

When he/she logs in again, i can observe that tokens are replacing in context, he/she can't access that ROLE_USER allowed sections.

Logs before log in;

Current authentication is org.springframework.security.authentication.AnonymousAuthenticationToken@6fabe8e0: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B1F6870C9FF93DCB50A6FD71302A9090; Granted Authorities: ROLE_ANONYMOUS

Logs after log in;

 After refreshing authentication: [org.springframework.security.openid.OpenIDAuthenticationToken@c9e3a81c: Principal: Hugo Weaving; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffe9938: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: B1F6870C9FF93DCB50A6FD71302A9090; Granted Authorities: ROLE_USER, attributes : null]

I didn't assign open id attributes for now but i don't think that is the problem.

Here is my web.xml

<filter>
        <filter-name>springSecurityFilterChain</filter-name>
        <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    </fi开发者_JS百科lter>

    <filter-mapping>
        <filter-name>springSecurityFilterChain</filter-name>
        <url-pattern>/*</url-pattern>
    </filter-mapping>

    <context-param>
        <param-name>contextConfigLocation</param-name>
        <param-value>
        /WEB-INF/security-context.xml
    </param-value>
    </context-param>
    <listener>
        <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    </listener>

And here is my security.xml

<http auto-config="true">
        <intercept-url pattern="/first.jsp" access="ROLE_USER" />
        <intercept-url pattern="/second.jsp" access="ROLE_USER" />
        <openid-login login-page="/index.html"></openid-login>
    </http>

**Basicly i'm forcing clients, that wants to access first.jsp and second.jsp,to log in with their open id accounts.

Finally I solved it. This problem was not in auth tokens, it was in my work flow. Changed one line code and it is done.