I am receiving an exception from AnonymousProcessingFilter java.lang.IllegalStateException: Cannot create a session after the response has been committed. After looking at the source code I found that the filter attempts to create a WebAuthenticationDetails object after the remainder of the filter chain is processed. In my case I have begun writing content to the response from a servlet down the pipeline. The WebAuthenticationDetails object in its constructor attempts to create a new session:
this.sessionId = request.getSession(true).
I believe the bug is here, shouldn't it be doing request.getSession(). Why force the creation of a new session??