Luke Taylor (Migrated from SEC-1424) said:
create-session="stateless" would mean that the application guarantees that no session will be created. In this case, we should be able to use a null RequestCache in the ExceptionTranslationFilter and remove the RequestCacheFilter and SessionManagementFilter from the stack.
This differs from the existing create-session="never" which means that Spring Security will not create a session, but will use an existing one if the application creates it.
Luke Taylor said:
Done. In addition to the above changes, a NullSecurityContextRepository will be used with the SecurityContextPersistenceFilter.