SEC-879: Add BeanPostProcessor to check that SessionRegistry is set on AbstractProcessingFilter etc when using custom ConcurrentSessionController #1134

Closed
spring-issuemaster opened this Issue Jun 9, 2008 · 1 comment

Projects

None yet

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-879) said:

The use of a custom controller means that all the concurrent session beans have to be externally configured and thus the namespace registered beans don’t know about them and have to be explicitly configured too (using traditional bean syntax). A post processor could attempt to resolve the missing references (to the session registry) and set them on the namespace beans (AuthenticationProcessingFilter, SessionFixationProtectionFilter etc)

@spring-issuemaster

Luke Taylor said:

I’ve added SessionRegsitryInjectionBeanPostProcessor class, which is registered if the concurrent-session-controller-ref attribute is used with the namespace authentication-manager element.

It checks for a SessionFixationProtectionFilter, OpenID filter or AuthenticationProcessingFilter registeed by the namespace and injects the SessionRegistry into any of these. The registry bean is obtained from the controller if possible, or directly from the bean factory.

@spring-issuemaster spring-issuemaster added this to the 2.0.3 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment