Luke Taylor (Migrated from SEC-879) said:
The use of a custom controller means that all the concurrent session beans have to be externally configured and thus the namespace registered beans don’t know about them and have to be explicitly configured too (using traditional bean syntax). A post processor could attempt to resolve the missing references (to the session registry) and set them on the namespace beans (AuthenticationProcessingFilter, SessionFixationProtectionFilter etc)
Luke Taylor said:
I’ve added SessionRegsitryInjectionBeanPostProcessor class, which is registered if the concurrent-session-controller-ref attribute is used with the namespace authentication-manager element.
It checks for a SessionFixationProtectionFilter, OpenID filter or AuthenticationProcessingFilter registeed by the namespace and injects the SessionRegistry into any of these. The registry bean is obtained from the controller if possible, or directly from the bean factory.