Currently it is possible for a user to be authenticated by something like remember-me, which doesn't create a session and for the response to be committed before the filter chain gets to the point where the SecurityContextPersistenceFilter (HttpSessionContextIntegrationFilter) attempts to create a session to store the context. HttpServletRequest.getSession() will then fail if cookies are being used to maintain the session, as the cookie information for the response will already have been streamed back to the client.
We should possibly look at providing an additional option in the SessionFixationProtectionFilter which would allow it to create a new session when it detects that authentication has occurred since the start of the request, even if a session doesn't already exist. This would mean the session was already in place before the response was committed and the context could then safely be stored.
The namespace would then have an additional create-session="onAuthentication" option which would transparently provide this feature.