As a follow-up to this: I ended up just extending DefaultWebSessionManager and overriding the offending methods, to make it simply not check for a session ID parameter. So far this doesn't seem to have any undesired side-effects for me.
- Anonymous POST with DefaultWebSessionManager Rob W
- Re: Anonymous POST with DefaultWebSessionManager Rob W
