I've run into an issue that I'm hoping is simply misconfiguration. I'm using both the AnonymousProcessingFilter and the ConcurrentSessionFilter and I was surprised to see that the anonymous user is not excluded from the concurrency check. So each anonymous user's request invalidates the last anonymous user's request. Oddly, the side effect of this is that the latter user is faced with a login screen on their next request even though they are accessing an URL that has both the anonymous and user role associated with it and which they were accessing without logging in prior to their session being invalidated. I see in the ConcurrentSessionControllerImpl where I could override getMaximumSessionsForThisUser and look for an AnonymousAuthenticationToken (and return -1) but I was thinking there must be something else at issue here.
Here's my filter order (which looks legitimate according to the docs):
I can provide more if needed. I just thought that seemed the most likely culprit.