Nick Williams (Migrated from SEC-1372) said:
The documentation for org.springframework.security.core.session.SessionRegistry#getAllSessions(Object, boolean) says "Returns: the matching sessions for this principal (should not return null)." However, the default implementation org.springframework.security.core.session.SessionRegistryImpl#getAllSessions(Object, boolean) returns null if "final Set sessionsUsedByPrincipal = principals.get(principal)" is null.
It should, instead, return an empty list, per the interface specification and per good code practices such that methods that return lists should never return null, only empty lists when needed.
Luke Taylor said:
Makes sense. We should stick to our own contracts, so I've changed it to return an empty list. In practice the null was checked for in classes which consumed this method, so most users should be unaffected.