This time I've got an improvement to Acegi.
So my first question: Is there an issue tracking for Acegi? I couldn't find one on Sourceforge, and JIRA on springframework.org doesn't host Acegi.
So now for the improvement:
I think it is bad behaviour if a servlet filter creates HttpSessions unless it is absolutely neccesary. The enclosed resources may want to decide on their own if they want to create a session, or adapt their behaviour to the existance of a session.
This said, I propose that getSession() in HttpSessionIntegrationFilter.extractFromContainer( ) and AbstractProcessingFilter.successfulAuthentication( ) should be converted to getSession(false). When getting an attribute, it is not important to create the session if the attribute is not present. If there is no session available, so will be no attribute.