I'm building the RESTful service with Spring Security and basic authentication. REST requires services to be stateless, so I set
(default setting, ifRequired, seems buggy for me: the session is created at first request anyway, so it behaves exactly like "always").
This configuration (create-session="never") works properly for me. But when I look at the stack trace, I'm frightened of amount of classes and method calls that Spring Security uses in this case. The HttpSessionContextIntegrationFilter seems to be the main culprit. What is it used for at all, if there is no session ever in this case? The best solution would be to throw away HttpSessionContextIntegrationFilter from the stack when create-session="never". It adds only complexity and processing overhead for completely no purpose.