Spring Security
  1. Spring Security
  2. SEC-1143

Using Namespace won't set sessionRegistry for form-login

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.4
    • Fix Version/s: 3.0.0 M1
    • Component/s: Namespace
    • Labels:
      None
    • Environment:
      tomcat 6 java 5

      Description

      When using concurrent session using namespace like :
      <security:concurrent-session-control max-sessions="1" expired-url="/login-page.html" session-registry-ref="onlineManager"/>
      the onlineManager is my own sessionRegistry
      I found when login it always register a new session and then remove it. I dig it found it is in AbstractProcessingFilter.java line 367:
      SessionUtils.startNewSessionIfRequired(request, migrateInvalidatedSessionAttributes, sessionRegistry);
      And the AbstractProcessingFilter.java has
      public void setSessionRegistry(SessionRegistry sessionRegistry)

      { this.sessionRegistry = sessionRegistry; }

      But I can't find any description for form-login in spring-security-2.0.4.xsd.
      I can using just bean define to solve this.But this must bei xsd problem or namespace inplement.

        Activity

        Hide
        lingerer huang added a comment -

        I dig more and found the problem.
        The namespace config code only check if there a "_sessionRegistry" bean exist. And the bean is created by namespance config code.
        But if I define the concurrent-session-control using a alternate bean. this code will not work then.
        I change my "onlneManager" bean's name to "_sessionRegistry" and place the define before <security:http> will solve the problem for now.

        Show
        lingerer huang added a comment - I dig more and found the problem. The namespace config code only check if there a "_sessionRegistry" bean exist. And the bean is created by namespance config code. But if I define the concurrent-session-control using a alternate bean. this code will not work then. I change my "onlneManager" bean's name to "_sessionRegistry" and place the define before <security:http> will solve the problem for now.
        Hide
        Luke Taylor added a comment -

        Thanks for spotting this. I've updated the FormLoginBeanDefinitionParser to use the isBeanNameInuse() method on the BeanDefinitionRegistry when checking for the availability of the session registry. When the user registers their own session registry, the default bean name is registered as an alias and the new method picks that up whereas BeanDefinitionRegistry.containsBeanDefinition() (which was in use before) does not.

        Show
        Luke Taylor added a comment - Thanks for spotting this. I've updated the FormLoginBeanDefinitionParser to use the isBeanNameInuse() method on the BeanDefinitionRegistry when checking for the availability of the session registry. When the user registers their own session registry, the default bean name is registered as an alias and the new method picks that up whereas BeanDefinitionRegistry.containsBeanDefinition() (which was in use before) does not.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            lingerer huang
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: