Spring Security
  1. Spring Security
  2. SEC-2011

SessionFixationProtectionStrategy Javadoc states to inject SessionRegistry but does not contain that field

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.2
    • Component/s: Docs and Website
    • Labels:
      None

      Description

      The SessionFixationProtectionStrategy Javadoc says:

      If concurrent session control is in use, then a SessionRegistry must be injected. 
      

      However, this feature is offered by the subclass ConcurrentSessionControlStrategy. Another reference to the session registry is in the org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy.onAuthentication(Authentication, HttpServletRequest, HttpServletResponse) Javadoc:

      The sessionRegistry will be updated with the new session information.
      

      Once again, this is done by the org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy.onAuthentication(Authentication, HttpServletRequest, HttpServletResponse) instead.

        Activity

        Hide
        Rob Winch added a comment -

        Thank you for submitting this issue. It has been fixed in master.

        Show
        Rob Winch added a comment - Thank you for submitting this issue. It has been fixed in master.
        Hide
        Mauro Molinari added a comment -

        Thank you Rob, however please note that a reference to the session registry is still on the SessionFixationProtectionStrategy.onAuthentication(Authentication, HttpServletRequest, HttpServletResponse) method Javadoc.

        Show
        Mauro Molinari added a comment - Thank you Rob, however please note that a reference to the session registry is still on the SessionFixationProtectionStrategy.onAuthentication(Authentication, HttpServletRequest, HttpServletResponse) method Javadoc.
        Hide
        Rob Winch added a comment -

        I clearly missed that portion of the JIRA...thanks for keeping me honest . I have moved the SessionFixationProtectionStrategy.onAuthentication reference of SessionRegistry to ConcurrentSessionControlStrategy.onAuthentication. Thanks again.

        Show
        Rob Winch added a comment - I clearly missed that portion of the JIRA...thanks for keeping me honest . I have moved the SessionFixationProtectionStrategy.onAuthentication reference of SessionRegistry to ConcurrentSessionControlStrategy.onAuthentication. Thanks again.

          People

          • Assignee:
            Rob Winch
            Reporter:
            Mauro Molinari
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 1h
              1h
              Remaining:
              Remaining Estimate - 1h
              1h
              Logged:
              Time Spent - Not Specified
              Not Specified