I'm using Hazelcast to store user sessions. Requests pass through the SessionRepositoryFilter, but if there's an error then the request is forwarded to /error. The forwarded request does not pass through that filter, so tomcat creates a new session with a new ID (not a UUID like the Hazelcast session ID), and responds with a set-cookie header telling the client to change their session ID to this new, wrong one. When the client makes its next request, Hazelcast does not recognise the tomcat session ID and so responds 401 unauthorized.
Spring's AbstractFilterRegistrationBean#determineDispatcherTypes method decides that SessionRepositoryFilter should not be applied to forwarded requests because it is not an instance of org.springframework.web.filter.OncePerRequestFilter. It is instead an instance of org.springframework.session.web.http.OncePerRequestFilter. I think that might be a bug - they should both filter on all dispatch types.
How can I edit the dispatcherMapping of the SessionRepositoryFilter FilterMap to 31, i.e. filter all requests?
It turns out that our application was excluding SessionAutoConfiguration. If I remove that exclusion, then it imports SessionRepositoryFilterConfiguration, which sets the dispatch types.
If for some reason you wanted to exclude SessionAutoConfiguration, you could instead make your @EnableHazelcastHttpSession class extend AbstractHttpSessionApplicationInitializer. That would also set the dispatch types for you.