diff --git a/web/src/main/java/org/springframework/security/web/session/HttpSessionEventPublisher.java b/web/src/main/java/org/springframework/security/web/session/HttpSessionEventPublisher.java
index 5370da2ffc..fddd54f808 100644
--- a/web/src/main/java/org/springframework/security/web/session/HttpSessionEventPublisher.java
+++ b/web/src/main/java/org/springframework/security/web/session/HttpSessionEventPublisher.java
@@ -49,7 +49,7 @@ public class HttpSessionEventPublisher implements HttpSessionListener {
     //~ Methods ========================================================================================================
 
     ApplicationContext getContext(ServletContext servletContext) {
-        return WebApplicationContextUtils.getWebApplicationContext(servletContext);
+        return WebApplicationContextUtils.getRequiredWebApplicationContext(servletContext);
     }
 
     /**
diff --git a/web/src/test/java/org/springframework/security/web/session/HttpSessionEventPublisherTests.java b/web/src/test/java/org/springframework/security/web/session/HttpSessionEventPublisherTests.java
index ff0a4ae2dc..2509473096 100644
--- a/web/src/test/java/org/springframework/security/web/session/HttpSessionEventPublisherTests.java
+++ b/web/src/test/java/org/springframework/security/web/session/HttpSessionEventPublisherTests.java
@@ -69,4 +69,26 @@ public class HttpSessionEventPublisherTests {
         assertNull(listener.getCreatedEvent());
         assertEquals(session, listener.getDestroyedEvent().getSession());
     }
+
+    // SEC-2599
+    @Test(expected=IllegalStateException.class)
+    public void sessionCreatedNullApplicationContext() {
+        HttpSessionEventPublisher publisher = new HttpSessionEventPublisher();
+        MockServletContext servletContext = new MockServletContext();
+        MockHttpSession session = new MockHttpSession(servletContext);
+        HttpSessionEvent event = new HttpSessionEvent(session);
+
+        publisher.sessionCreated(event);
+    }
+
+    // SEC-2599
+    @Test(expected=IllegalStateException.class)
+    public void sessionDestroyedNullApplicationContext() {
+        HttpSessionEventPublisher publisher = new HttpSessionEventPublisher();
+        MockServletContext servletContext = new MockServletContext();
+        MockHttpSession session = new MockHttpSession(servletContext);
+        HttpSessionEvent event = new HttpSessionEvent(session);
+
+        publisher.sessionDestroyed(event);
+    }
 }