Fix Tomcat compatibility issue where HttpSession unavailable during "logoff". Thanks to Aaron Tang.

core/src/main/java/org/acegisecurity/ui/webapp/HttpSessionIntegrationFilter.java

@@ -92,7 +92,8 @@ public class HttpSessionIntegrationFilter extends AbstractIntegrationFilter {
 
     public void commitToContainer(ServletRequest request,
         Authentication authentication) {
-        if (request instanceof HttpServletRequest) {
+        if (request instanceof HttpServletRequest
+            && ((HttpServletRequest) request).isRequestedSessionIdValid()) {
             HttpSession httpSession = ((HttpServletRequest) request).getSession();
 
             if (httpSession != null) {

core/src/test/java/org/acegisecurity/MockHttpServletRequest.java

@@ -270,7 +270,7 @@ public class MockHttpServletRequest implements HttpServletRequest {
     }
 
     public boolean isRequestedSessionIdValid() {
-        throw new UnsupportedOperationException("mock method not implemented");
+        return true;
     }
 
     public void setScheme(String scheme) {