Just after the authentication gets persisted into the session 9see below):

Code:
[org.springframework.security.web.FilterChainProxy] / at position 8 of 10 in additional filter chain; firing Filter: 'SessionManagementFilter'
[org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy] Invalidating session with Id '18046BF49EF7F38BC1159A741417E7B5' and migrating attributes.
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
Then, when the browser sends a new request, using the new session ID, a new session is created, instead of an existing one, with an authentication in it, being reused:

Code:
[org.springframework.security.web.context.SecurityContextPersistenceFilter] Eagerly created session: 466D3894FEE31BC03D7EEECD02E89DAC
[org.springframework.security.web.context.HttpSessionSecurityContextRepository] HttpSession returned null object for SPRING_SECURITY_CONTEXT
I also have
Code:
<session-management invalid-session-url="/" session-fixation-protection="none" />
in the app context, so I don't understand why the session fixation protection strategy kicks in at all.

The security configuration is:

Code:
<http auto-config='false' entry-point-ref="negotiateSecurityFilterEntryPoint" create-session="always" use-expressions="true">
	<intercept-url pattern="/**" access="hasRole('ROLE_USER')"/>
        <custom-filter position="BASIC_AUTH_FILTER" ref="filterManager" />
        <access-denied-handler error-page="/"/>
        <remember-me key="myAppKey" token-validity-seconds="36"/>
        <session-management invalid-session-url="/" session-fixation-protection="none" />
        <logout logout-success-url="/" delete-cookies="JSESSIONID" invalidate-session="true"/>
</http>
Where filterManager is a custom filter which does the following:
  • if an Authentication is already in the session, just call chain.doFilter() and skip the rest
  • attempt to authenticate based on request contents, if that doesn't work, add a few WWW-Authenticate headers and send an Unauthorized response, else persist the authentication fill the response with valid html and javascript


Persisting the authentication:

Code:
SecurityContextHolder.getContext().setAuthentication(authentication));
The problems I spot are two: the sesion gets migrated in spite of session-fixation-protection="none", and the logic of session migration decides not to persist the new session.

What am I missing?