Luke Taylor (Migrated from SEC-1227) said:
Since the http namespace now creates an internal AuthenticationManager, an externally-defined authentication filter won't be using this authentication manager and hence won't be subjected to concurrent session controls.
One potential fix is to expose the "web" authentication manager, but this is messy. Ideally concurrent session control support could be addressed in a different way, rather than through the AuthenticationManager, as this already causes problems since it requires that a session is eagerly created in order that a session ID is available for the ConcurrentSessionController to use. It would be better if this could be addressed through the SessionManagementFilter, for example.
Luke Taylor said: