Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-879: Add BeanPostProcessor to check that SessionRegistry is set on AbstractProcessingFilter etc when using custom ConcurrentSessionController #1134

spring-issuemaster opened this Issue Jun 9, 2008 · 1 comment


None yet
1 participant

Luke Taylor(Migrated from SEC-879) said:

The use of a custom controller means that all the concurrent session beans have to be externally configured and thus the namespace registered beans don’t know about them and have to be explicitly configured too (using traditional bean syntax). A post processor could attempt to resolve the missing references (to the session registry) and set them on the namespace beans (AuthenticationProcessingFilter, SessionFixationProtectionFilter etc)

Luke Taylor said:

I’ve added SessionRegsitryInjectionBeanPostProcessor class, which is registered if the concurrent-session-controller-ref attribute is used with the namespace authentication-manager element.

It checks for a SessionFixationProtectionFilter, OpenID filter or AuthenticationProcessingFilter registeed by the namespace and injects the SessionRegistry into any of these. The registry bean is obtained from the controller if possible, or directly from the bean factory.

@spring-issuemaster spring-issuemaster added this to the 2.0.3 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment