Rob Winch (Migrated from SEC-1769) said:
There are places in the code where HttpSession is still used and cannot be changed using what is provided. An example is the AbstractPreAuthenticatedProcessingFilter which stores the last exception in session. One thought would be to introduce a strategy for saving exceptions similar to how SecurityContextRepository works.
Comment From: rwinch
AbstractPreAuthenticatedProcessingFilter no longer requires the HttpSession