Please sign in to comment.
SEC-2057: ConcurrentSessionFilter is now after SecurityContextPersist…
…enceFilter Previously, ConcurrentSessionFilter was placed after SecurityContextPersistenceFilter which meant that the SecurityContextHolder was empty when ConcurrentSessionFilter was invoked. This caused the Authentication to be null when performing a logout. It also caused complications with LogoutHandler implementations that would be accessing the SecurityContextHolder and potentially clear it out expecting that SecurityContextPersistenceFilter would then clear the SecurityContextRepository. The ConcurrentSessionFilter is now positioned after the SecurityContextPersistenceFilter to ensure that the SecurityContextHolder is populated and cleared out appropriately.
- Loading branch information...
Showing with 31 additions and 17 deletions.
- +1 −1 config/src/main/java/org/springframework/security/config/http/SecurityFilters.java
- +19 −5 config/src/test/groovy/org/springframework/security/config/http/SessionManagementConfigTests.groovy
- +5 −5 docs/manual/src/docbook/namespace-config.xml
- +6 −6 docs/manual/src/docbook/security-filter-chain.xml