SEC-1143: Using Namespace won't set sessionRegistry for form-login #1391

spring-issuemaster opened this Issue Apr 27, 2009 · 2 comments


None yet

1 participant


lingerer huang (Migrated from SEC-1143) said:

When using concurrent session using namespace like :
<security:concurrent-session-control max-sessions="1" expired-url="/login-page.html" session-registry-ref="onlineManager"/>
the onlineManager is my own sessionRegistry
I found when login it always register a new session and then remove it. I dig it found it is in line 367:
SessionUtils.startNewSessionIfRequired(request, migrateInvalidatedSessionAttributes, sessionRegistry);
And the has
public void setSessionRegistry(SessionRegistry sessionRegistry) {
this.sessionRegistry = sessionRegistry;
But I can't find any description for form-login in spring-security-2.0.4.xsd.
I can using just bean define to solve this.But this must bei xsd problem or namespace inplement.


lingerer huang said:

I dig more and found the problem.
The namespace config code only check if there a "_sessionRegistry" bean exist. And the bean is created by namespance config code.
But if I define the concurrent-session-control using a alternate bean. this code will not work then.
I change my "onlneManager" bean's name to "_sessionRegistry" and place the define before security:http will solve the problem for now.


Luke Taylor said:

Thanks for spotting this. I've updated the FormLoginBeanDefinitionParser to use the isBeanNameInuse() method on the BeanDefinitionRegistry when checking for the availability of the session registry. When the user registers their own session registry, the default bean name is registered as an alias and the new method picks that up whereas BeanDefinitionRegistry.containsBeanDefinition() (which was in use before) does not.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment