Http Session with GemFire-CS module does not work if session stickiness is not enabled and with spring security

Hi   I have a configured 2 tcServer (Server4, Server5 jvmRoute names) with gemfire http session module, both listening to the same gemfire locator service and having the same region name - gemfire_modules_sessions and region attribute id

I have also configured vFabric Web Server with Http balancer as a front end for HTTP request without enabling session stickiness as given below:    I could not achieve non session affinity

<Proxy balancer://tpa-balancer>     BalancerMember http://localhost:8087 route=Server4 loadfactor=1     BalancerMember http://localhost:8088 route=Server5 loadfactor=1     ProxySet lbmethod=bybusyness scolonpathdelim=On</Proxy>
ProxyPass /insurance balancer://tpa-balancer/insurance
ProxyPassReverse /insurance http://localhost:8087/insurance
ProxyPassReverse /insurance http://localhost:8088/insurance

and I use spring security 3.0 for authentication and the flow of web page is as given  below:

login page - "login.htm" and when submitted, it uses "/j_spring_security_check" and after successful authentication application redirects to "/home.htm"

Initially when user hits "login.htm" and anonymousUser session is with id: 6B21CB15838B2AC1E46F66C0CC7272BE.Server5 and when form is submitted with /j_spring_security_check the same session id is used and after authentication HttpSessionSecurityContextRepository stores the SecurityContext in HttpSession as given below:

[09/12/2012-02:00:14][DEBUG][HttpSessionSecurityContextRepository]SecurityContext stored to HttpSession: 
'org.springframework.security.core.context.SecurityContextImpl@b70b1ef5: 
Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@b70b1ef5: 
Principal: com.csc.ace.insurance.security.vo.UserProfile@e26fa325: Username: manipvl@xxx.com; P
assword: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: 
true; 
Granted Authorities: ADMINISTRATOR,CREATE_CUSTOMER,CREATE_USER_ACCT,DELETE_CUSTOMER,DELETE_USER_ACCT,
MODIFY_CUSTOMER, MODIFY_USER_ACCT,VIEW_CLAIMS,VIEW_CUSTOMER,VIEW_PAYMENTS,VIEW_POLICIES; 
Credentials: [PROTECTED]; 
Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@255f8: 
RemoteIpAddress: 127.0.0.1; SessionId: 6B21CB15838B2AC1E46F66C0CC7272BE.Server5; 
Granted Authorities: ADMINISTRATOR, CREATE_CUSTOMER, CREATE_USER_ACCT, DELETE_CUSTOMER, DELETE_USER_ACCT, 
MODIFY_CUSTOMER, MODIFY_USER_ACCT, VIEW_CLAIMS, VIEW_CUSTOMER, VIEW_PAYMENTS, VIEW_POLICIES'

and when redirecting to /home.htm, it shows HttpSessionSecurityContextRepository: HttpSession returned null object for SPRING_SECURITY_CONTEXT

com.gemstone.gemfire.modules.session.catalina.DeltaSessionFacade creates a new session with session id: 6B21CB15838B2AC1E46F66C0CC7272BE.Server4, ideally redirection to home page is going to a different server. I have attached the full log file

I was of the opinion that session affinity is not needed when GemFire Session module is used with no local cache and I could see B21CB15838B2AC1E46F66C0CC7272BE.Server5 entry is created in region gemfire_modules_sessions.

So why is that HttpSessionSecurityContextRepository could not get the session object from gemfire region using the id: 6B21CB15838B2AC1E46F66C0CC7272BE.Server5 and it directs gemfire's DeltaSessionFacade to create a new session

[09/12/2012-02:00:14][DEBUG][FilterChainProxy]Converted URL to lowercase, from: '/home.htm'; to: '/home.htm'
[09/12/2012-02:00:14][DEBUG][FilterChainProxy]Candidate is: '/home.htm'; pattern is /**; matched=true
[09/12/2012-02:00:14][DEBUG][FilterChainProxy]/home.htm at position 1 of 7 in additional filter chain; 
firing Filter: 'SecurityContextPersistenceFilter'
[09/12/2012-02:00:14][DEBUG][HttpSessionSecurityContextRepository]No SecurityContext was available from the 
HttpSession: com.gemstone.gemfire.modules.session.catalina.DeltaSessionFacade@5cca548b. 
A new one will be created.
[09/12/2012-02:00:14][DEBUG][FilterChainProxy]/home.htm at position 2 of 7 in additional filter chain; 
firing Filter: 'UsernamePasswordAuthenticationFilter'
[09/12/2012-02:00:14][DEBUG][FilterChainProxy]/home.htm at position 3 of 7 in additional filter chain; 
firing Filter: 'AnonymousAuthenticationFilter'
[09/12/2012-02:00:14][DEBUG][AnonymousAuthenticationFilter]
Populated SecurityContextHolder with anonymous token: 
'org.springframework.security.authentication.AnonymousAuthenticationToken@9054b1a2: 
Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; 
Details: org.springframework.security.web.authentication.WebAuthenticationDetails@1c07a: 
RemoteIpAddress: 127.0.0.1; SessionId: 6B21CB15838B2AC1E46F66C0CC7272BE.Server4; 
Granted Authorities: ROLE_ANONYMOUS'