Spring boot 2.0 and Spring security with embedded tomcat 8.5 with Redis sessions

Question

guys! I'm using Spring boot 2 with embedded tomcat with redis for distributed sessions. Everything works perfectly - I have distributed sessions and I'm able to make Blue-green deployment.

The problem is when I want to track every request for the authenticated users in the Tomcat accesslog file. When I don't use redis for the sessions, everything works.

Tomcat has the possibility to write information in the log file which is get from the session.

server.tomcat.accesslog.pattern=%h %l %{username}s %t "%r" %s %b %T %{User-Agent}i

Where %{username}s is the session parameters which value will be saved in the log. I add the username in the callback from the spring session -

public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response,
                                        Authentication authentication) throws IOException, ServletException {
        String username = merchandiserRepository.findByUsername(authentication.getName()).getUsername();
        request.getSession(true).setAttribute("username", username);
        setUsernameInCookieOnLogin(response, username);
        log.warn("Successfully logged in: {}", username);
        response.sendRedirect("/page/1");
    }

When I debugged the request I noticed that HttpSession sess = request.getSession(false); is always null (and there is hidden exception)

Cannot create a session after the response has been committed

In the file - AbstactAccessLogValve -

protected static class SessionAttributeElement implements AbstractAccessLogValve.AccessLogElement {
        private final String header;

        public SessionAttributeElement(String header) {
            this.header = header;
        }

        public void addElement(CharArrayWriter buf, Date date, Request request, Response response, long time) {
            Object value = null;
            if (null != request) {
                HttpSession sess = request.getSession(false);
                if (null != sess) {
                    value = sess.getAttribute(this.header);
                }
            } else {
                value = "??";
            }

            if (value != null) {
                if (value instanceof String) {
                    buf.append((String)value);
                } else {
                    buf.append(value.toString());
                }
            } else {
                buf.append('-');
            }

        }
    }

Which means that I don't have session object at this time (which is not true). I guess it related to the order of the Servlet Filters which are:

2019-07-15 14:49:34.079 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 1 of 12 in additional filter chain; firing Filter: 'WebAsyncManagerIntegrationFilter'
2019-07-15 14:49:34.079 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 2 of 12 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2019-07-15 14:49:34.084 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 3 of 12 in additional filter chain; firing Filter: 'HeaderWriterFilter'
2019-07-15 14:49:34.084 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 4 of 12 in additional filter chain; firing Filter: 'LogoutFilter'
2019-07-15 14:49:34.084 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 5 of 12 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2019-07-15 14:49:34.084 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 6 of 12 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2019-07-15 14:49:34.084 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 7 of 12 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2019-07-15 14:49:34.084 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 8 of 12 in additional filter chain; firing Filter: 'RememberMeAuthenticationFilter'
2019-07-15 14:49:34.085 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 9 of 12 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2019-07-15 14:49:34.085 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 10 of 12 in additional filter chain; firing Filter: 'SessionManagementFilter'
2019-07-15 14:49:34.085 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 11 of 12 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2019-07-15 14:49:34.085 DEBUG 17666 --- [nio-8080-exec-2] o.s.s.w.FilterChainProxy                 : /page/1 at position 12 of 12 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'

Can someone help with this not easy task?

Best regards