SEC-1530: Simplify access to SessionRegistry.getAllPrincipals() #1771

spring-issuemaster opened this Issue Aug 4, 2010 · 3 comments


None yet

1 participant


Mark Gorokhov (Migrated from SEC-1530) said:

Multiple steps are required to retrieve collection with all current authenticated users logged into the web application. Unfortunately these steps are not well documented. Trivial task to display all current active users cannot achieved easily.


  • make session-management / concurrency-control attribute not mandatory to collect SessionRegistryImpl.registerNewSession()
  • provide documentation with sample Java code (and required entries in web.xml & applicationContext.xml) how to retrieve collection SessionRegistry.getAllPrincipals()

Luke Taylor said:

SessionRegistry was originally written in order to implement concurrency control and is still a key part of that functionality. The ability to query it for the list of principals logged in is a useful side effect. Since it is possible to use the existing configuration, I don't want to change the namespace to support yet another syntax - all you need to do is set the maximum sessions to -1 to allow unlimited logins. I'll add some information to the docs on session management to point the user in this direction. The configuration required is already covered in documentation.


Luke Taylor said:

Docs added to session management chapter.


Mark Gorokhov said:

  1. Make sure that max-sessions="-1" does not conflict with spring-security-3.x.xsd; currently in 3.0 "-1" is not a valid value.
  2. Please provide example how to access SessionRegistry.
@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment