Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1143: Using Namespace won't set sessionRegistry for form-login #1391

spring-issuemaster opened this Issue Apr 27, 2009 · 2 comments


None yet
1 participant

lingerer huang (Migrated from SEC-1143) said:

When using concurrent session using namespace like :
<security:concurrent-session-control max-sessions="1" expired-url="/login-page.html" session-registry-ref="onlineManager"/>
the onlineManager is my own sessionRegistry
I found when login it always register a new session and then remove it. I dig it found it is in AbstractProcessingFilter.java line 367:
SessionUtils.startNewSessionIfRequired(request, migrateInvalidatedSessionAttributes, sessionRegistry);
And the AbstractProcessingFilter.java has
public void setSessionRegistry(SessionRegistry sessionRegistry) {
this.sessionRegistry = sessionRegistry;
But I can't find any description for form-login in spring-security-2.0.4.xsd.
I can using just bean define to solve this.But this must bei xsd problem or namespace inplement.

lingerer huang said:

I dig more and found the problem.
The namespace config code only check if there a "_sessionRegistry" bean exist. And the bean is created by namespance config code.
But if I define the concurrent-session-control using a alternate bean. this code will not work then.
I change my "onlneManager" bean's name to "_sessionRegistry" and place the define before security:http will solve the problem for now.

Luke Taylor said:

Thanks for spotting this. I've updated the FormLoginBeanDefinitionParser to use the isBeanNameInuse() method on the BeanDefinitionRegistry when checking for the availability of the session registry. When the user registers their own session registry, the default bean name is registered as an alias and the new method picks that up whereas BeanDefinitionRegistry.containsBeanDefinition() (which was in use before) does not.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment