Spring Security: remember me and session data

Question

I have object Account:

public class Account {
    String name;
    List<Car> cars;
}

I populate the cars during the login (in the custom authentication provider) and then save Account to session. Then I close browser. When I open it again, object Account is alive, but cars is null. What is the correct way to save object's properties in the same session?

Here is a snippet of my applicationContext-security.xml:

<http use-expressions="true"
            authentication-manager-ref="authenticationManager"
            auto-config="true"
            create-session="ifRequired">
        <intercept-url pattern="/my/**" access="hasAnyRole('ROLE_USER','ROLE_ADMIN')"/>
        <intercept-url pattern="/service/**" access="hasRole('ROLE_ADMIN')"/>
        <form-login 
            login-page="/login"
            authentication-failure-handler-ref="simpleUrlAuthenticationFailureHandler"
            username-parameter="j_username"
            password-parameter="j_password"
            default-target-url="/home"
            always-use-default-target="false"/>
        <logout logout-success-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID"/>
        <http-basic />
        <remember-me key="uniqueAndSecret"
            token-validity-seconds="1209600"
            remember-me-cookie="edrive"
            remember-me-parameter="_spring_security_remember_me"
            user-service-ref="localUserService"/>
    </http>

and how I save account:

Account account = accountDao.getAccount( name, password );
HttpSession session = httpUtilities.getSession(); // session from the HttpServletRequest
account.setCars(domainUtilities.getAccountCars(account.getId()));
session.setAttribute("account", account);

Spring Security 4.1.3.RELEASE

UPDATE 1: my investigations show that when I do login for the first time, the account object persists in the session:

account core.domain.Account@1b4e3e2

and session also contains:

org.springframework.security.web.csrf.DefaultCsrfToken@48662c93
SPRING_SECURITY_CONTEXT org.springframework.security.core.context.SecurityContextImpl@a2e3a7b0: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@a2e3a7b0: Principal: org.springframework.security.core.userdetails.User@1901e91c: Username: someuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@ffff4c9c: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 0B7153F813D8F0B943C34EF19A7271C8; Granted Authorities: ROLE_USER

Next time when I start browser, Tomcat 8 opens a new session with only:

org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository.CSRF_TOKEN org.springframework.security.web.csrf.DefaultCsrfToken@4555644f
SPRING_SECURITY_CONTEXT org.springframework.security.core.context.SecurityContextImpl@5d1c5848: Authentication: org.springframework.security.authentication.RememberMeAuthenticationToken@5d1c5848: Principal: org.springframework.security.core.userdetails.User@1901e91c: Username: someuser; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_USER

And - SessionId is null. Why? Is that a reason that account is inaccessible in the second time?

Answer 1

Problem has been solved by adding special filter into the standard chain (defined in the app's WEB-APP/web.xml). I check that user is authenticated and account is null - then I reload necessary data.

Second - session Id is null - it was an issue with create-session="ifRequired". I replaced it with "always" and now it works.