public class SessionCreationForAnonymousUserFilter
See BDEV-2966. Essentially we do not consciously create sessions for anonymous users. This causes REST requests to die (potentially a bug there). This filter is running just before sitemesh, because it used to be sitemesh that would create this session
Logic in 4.4.5: Page Request -> SecurityFilter (null session doesn't die cause auth type != ANY) -> All other crap -> Sitemesh (created session and set jsession id) -> Back to user -> REST request comes in using new jsession id) -> Security Filter
In 5.0 we upgraded sitemesh causing this to session creation to not happen and therefore a null session comes through with the REST request.
This is not the correct fix, but the only one that is the least risky in the 5.0 timeframe. Note that we can not create the session prior to the security filter as this will screw up the login logic.
todo revisit after 5.0