Spring Security
  1. Spring Security
  2. SEC-1850

ConcurrentSessionFilter should be by default injected with the same logout handlers as LogoutFilter when using namespace config

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.0.7
    • Fix Version/s: 3.1.2
    • Component/s: Namespace
    • Labels:
      None

      Description

      I have an app configured to prevent concurrent sessions:
      <sec:session-management session-fixation-protection="migrateSession">
      <sec:concurrency-control max-sessions="1" expired-url="/sessionExpired.do" session-registry-ref="sessionRegistry"/>
      </sec:session-management>
      Also we are using remember me functionality:
      <sec:remember-me key="someKey" services-ref="rememberMeServices" />

      now with this config the logout filter is injected with both SecurityContextLogoutHandler and our TokenBasedRememberMeServices bean which implements LogoutHandler.This is the expected config and it correctly executes both handlers (where in this case, remember me cookie will be canceled by TokenBasedRememberMeServices) ..

      However, if the user exceeds his max sessions and the ConcurrentSessionFilter logouts the user, it uses the default SecurityContextLogoutHandler which is declared inside:
      private LogoutHandler[] handlers = new LogoutHandler[]

      {new SecurityContextLogoutHandler()}

      ;

      I think ConcurrentSessionFilter should be injected with the same logout handlers as LogoutFilter so the user will be properly logged out (i.e clearing remeber me cookie for example)...

        Activity

        Hide
        Abdulaziz added a comment -

        Actually a similar issue (SEC-299) was fixed a long time ago, and it provided a setter to inject a list of logout handlers. However, when using namespace config, this behavior is not used and only the default SecurityContextLogoutHandler is used...

        Show
        Abdulaziz added a comment - Actually a similar issue ( SEC-299 ) was fixed a long time ago, and it provided a setter to inject a list of logout handlers. However, when using namespace config, this behavior is not used and only the default SecurityContextLogoutHandler is used...
        Hide
        Rob Winch added a comment -

        This is now fixed in master

        Show
        Rob Winch added a comment - This is now fixed in master

          People

          • Assignee:
            Rob Winch
            Reporter:
            Abdulaziz
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 0.5d
              0.5d
              Remaining:
              Remaining Estimate - 0.5d
              0.5d
              Logged:
              Time Spent - Not Specified
              Not Specified