This looks like a bug to me in 3.5. As far as I can see, this type of request handling is done by requestParameterAuthenticationFilter in the filter chain. Though there is a replacement provided for every filter class (for example, basic,authentication, user preferences etc) in the new applicationContext-multiTenancy.xml, the replacement bean is not provided for this filter. It is still using the 3.1 class and hence it looks like it is failing. Can someone please look into this and let me know if this bug will be fixed soon. Also, is there a way I can report a bug ? Thanks Shiv