I was wondering way Spring Security creates a new session during the first request when the user is not yet authenticated, and then after a successful authentication it destroys it and creates a new one. I want to disable session creation and allow it only after authentication.

I tried to disable session creation on my JSP login page but it looks like HttpSessionRequestCache would create the session. What is the easiest way to set HttpSessionRequestCache.createSessionAllowed = false? Do I need to define the whole filter chain manually, or is there an easier way?

I use Spring Security 3.1 and in my configuration file I do only the most basic things:

HTML Code:
	<http auto-config="true" use-expressions="true">
		<intercept-url pattern="..." />
		<form-login login-page="/login.login" authentication-failure-url="/error.login" />
		<session-management session-fixation-protection="newSession">
			<concurrency-control error-if-maximum-exceeded="true" 
                              max-sessions="1" session-registry-alias="sessionRegistry"/>
		</session-management>	
	</http>

	<authentication-manager alias="authenticationManager">
        <authentication-provider ref="authenticationProvider" />
	</authentication-manager>
	
	<beans:bean id="authenticationProvider" class="MyAuthenticationProvider">
        <beans:property name="userDetailsService" ref="userDetailsService" /> 
		<beans:property name="passwordEncoder" ref="passwordEncoder" />
		<beans:property name="..." ref="..." />
	</beans:bean>

	<beans:bean id="userDetailsService" class="MyUserDetailsService">
		<beans:property name="..." ref="..." />
	</beans:bean>