Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

SEC-1227: Concurrent session management won't work with external filters #1476

spring-issuemaster opened this Issue Aug 24, 2009 · 1 comment


None yet
1 participant

Luke Taylor (Migrated from SEC-1227) said:

Since the http namespace now creates an internal AuthenticationManager, an externally-defined authentication filter won't be using this authentication manager and hence won't be subjected to concurrent session controls.

One potential fix is to expose the "web" authentication manager, but this is messy. Ideally concurrent session control support could be addressed in a different way, rather than through the AuthenticationManager, as this already causes problems since it requires that a session is eagerly created in order that a session ID is available for the ConcurrentSessionController to use. It would be better if this could be addressed through the SessionManagementFilter, for example.

Luke Taylor said:


@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment