Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1147: Remove use of SessionRegistryUtils #1395

spring-issuemaster opened this Issue Apr 30, 2009 · 1 comment


None yet
1 participant

Luke Taylor (Migrated from SEC-1147) said:

The methods on this class are redundant and inflexible as they are static - the principal from the authentication should just be passed directly to the SessionRegistry, allowing the implementation to interpret it as it wishes. Likewise, the "obtainSessionId..." method should be art of ConcurrentSessionControllerImpl. The error message for a missing authentication "details" object should also be improved.

Luke Taylor said:

I've removed the class and inlined the methods. This also means that the actual principal object will be used as the key into the map (normally a UserDetails object). This could be useful when accessing the SessionRegistry for other purposes (e.g. in a UI). It also means that in cases where the username in the object is not unique (e.g. because there is an additional "company" field, for example, which differentiates between them) then there will be no danger of users overwriting each other's data (provided equals and hashcode methods are properly implemented).

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment