Artem Anisimov (Migrated from SEC-1353) said:
SessionManagementFilter::doFilter() fails to stop request processing in branch "No security context or authentication present" (at SessionManagementFilter.java:89). More precisely, it does not return after calling redirectStrategy.sendRedirect(), but passes to the next filter.
This causes an error if there are controllers that define methods taking a HttpSession argument, because in this case AnnotationMethodHandlerAdapter attempts to call request.getSession(), which is not permitted after a redirect had been sent.
This issue duplicates #1578