SEC-1227: Concurrent session management won't work with external filters #1476

Closed
spring-issuemaster opened this Issue Aug 24, 2009 · 1 comment

1 participant

@spring-issuemaster

Luke Taylor (Migrated from SEC-1227) said:

Since the http namespace now creates an internal AuthenticationManager, an externally-defined authentication filter won't be using this authentication manager and hence won't be subjected to concurrent session controls.

One potential fix is to expose the "web" authentication manager, but this is messy. Ideally concurrent session control support could be addressed in a different way, rather than through the AuthenticationManager, as this already causes problems since it requires that a session is eagerly created in order that a session ID is available for the ConcurrentSessionController to use. It would be better if this could be addressed through the SessionManagementFilter, for example.

@spring-issuemaster

Luke Taylor said:

Superseded.

@spring-issuemaster spring-issuemaster added this to the 3.0.0 RC1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment