Spring Security
  1. Spring Security
  2. SEC-1227

Concurrent session management won't work with external filters

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.0 M2
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Namespace, Web
    • Labels:
      None

      Description

      Since the http namespace now creates an internal AuthenticationManager, an externally-defined authentication filter won't be using this authentication manager and hence won't be subjected to concurrent session controls.

      One potential fix is to expose the "web" authentication manager, but this is messy. Ideally concurrent session control support could be addressed in a different way, rather than through the AuthenticationManager, as this already causes problems since it requires that a session is eagerly created in order that a session ID is available for the ConcurrentSessionController to use. It would be better if this could be addressed through the SessionManagementFilter, for example.

        Issue Links

          Activity

          Hide
          Luke Taylor added a comment -

          Superseded.

          Show
          Luke Taylor added a comment - Superseded.

            People

            • Assignee:
              Luke Taylor
              Reporter:
              Luke Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: