Paul Austin (Migrated from SEC-1695) said:
The HttpSessionSecurityContextRepository class has a constant SPRING_SECURITY_CONTEXT_KEY that defines the session attribute that the security context for the current user is stored in.
If you have two different security:http configurations in the same web application they would both share the same security context, so if they logged in using one configuration then that would be shared by the other configuration.
If the constant was replaced by a springSecurityContextKey field and a setSpringSecurityContextKey then the user would be able to specify a different session attribute for each security configuration.
A further enhancement would be to add a springSecurityContextKey attribute to the security:http, that if present would create a HttpSessionSecurityContextRepository with the session key.
Luke Taylor said:
I've added a springSecurityContextKey property to HttpSessionSecurityContextRepository. I don't want to add this to the namespace since it is not a common requirement and there is already an injection point for the SecurityContextRepository instance.
This also requires a change to the API of SessionDestroyedEvent which assumed there is only a single context in the session. The getSecurityContext() method has been replaced with getSecurityContexts() which returns a List.