Uploaded image for project: 'Spring Security'
  1. Spring Security
  2. SEC-1227

Concurrent session management won't work with external filters

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.0 M2
    • Fix Version/s: 3.0.0 RC1
    • Component/s: Namespace, Web
    • Labels:
      None

      Description

      Since the http namespace now creates an internal AuthenticationManager, an externally-defined authentication filter won't be using this authentication manager and hence won't be subjected to concurrent session controls.

      One potential fix is to expose the "web" authentication manager, but this is messy. Ideally concurrent session control support could be addressed in a different way, rather than through the AuthenticationManager, as this already causes problems since it requires that a session is eagerly created in order that a session ID is available for the ConcurrentSessionController to use. It would be better if this could be addressed through the SessionManagementFilter, for example.

        Issue Links

          Activity

          Hide
          luke Luke Taylor added a comment -

          Superseded.

          Show
          luke Luke Taylor added a comment - Superseded.

            People

            • Assignee:
              luke Luke Taylor
              Reporter:
              luke Luke Taylor
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: