SEC-1147: Remove use of SessionRegistryUtils #1395

Closed
spring-issuemaster opened this Issue Apr 30, 2009 · 1 comment

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-1147) said:

The methods on this class are redundant and inflexible as they are static - the principal from the authentication should just be passed directly to the SessionRegistry, allowing the implementation to interpret it as it wishes. Likewise, the "obtainSessionId..." method should be art of ConcurrentSessionControllerImpl. The error message for a missing authentication "details" object should also be improved.

@spring-issuemaster

Luke Taylor said:

I've removed the class and inlined the methods. This also means that the actual principal object will be used as the key into the map (normally a UserDetails object). This could be useful when accessing the SessionRegistry for other purposes (e.g. in a UI). It also means that in cases where the username in the object is not unique (e.g. because there is an additional "company" field, for example, which differentiates between them) then there will be no danger of users overwriting each other's data (provided equals and hashcode methods are properly implemented).

@spring-issuemaster spring-issuemaster added this to the 3.0.0 M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment