SEC-1850: ConcurrentSessionFilter should be by default injected with the same logout handlers as LogoutFilter when using namespace config #2087

Closed
spring-issuemaster opened this Issue Nov 1, 2011 · 2 comments

2 participants

@spring-issuemaster

Abdulaziz (Migrated from SEC-1850) said:

I have an app configured to prevent concurrent sessions:


/sec:session-management
Also we are using remember me functionality:

now with this config the logout filter is injected with both SecurityContextLogoutHandler and our TokenBasedRememberMeServices bean which implements LogoutHandler.This is the expected config and it correctly executes both handlers (where in this case, remember me cookie will be canceled by TokenBasedRememberMeServices) ..

However, if the user exceeds his max sessions and the ConcurrentSessionFilter logouts the user, it uses the default SecurityContextLogoutHandler which is declared inside:
private LogoutHandler[] handlers = new LogoutHandler[] {new SecurityContextLogoutHandler()};

I think ConcurrentSessionFilter should be injected with the same logout handlers as LogoutFilter so the user will be properly logged out (i.e clearing remeber me cookie for example)...

@spring-issuemaster

Abdulaziz said:

Actually a similar issue (SEC-299) was fixed a long time ago, and it provided a setter to inject a list of logout handlers. However, when using namespace config, this behavior is not used and only the default SecurityContextLogoutHandler is used...

@spring-issuemaster

Rob Winch said:

This is now fixed in master

@spring-issuemaster spring-issuemaster added this to the 3.1.2 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment