Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-2574: Default JavaConfig SessionRegistryImpl does not receive SessionDestroyedEvents #2788

Closed
spring-issuemaster opened this issue Apr 23, 2014 · 3 comments
Assignees
Milestone

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented Apr 23, 2014

John Vasileff (Migrated from SEC-2574) said:

SessionManagementConfigurer creates a default SessionRegistryImpl directly, without wiring it as a Spring bean. So, the SessionRegistryImpl does not receive SessionDestroyedEvents and does not maintain an accurate list of current sessions.

Once consequence of this is that concurrency control will work off inaccurate data, and in the worst case prevents users from ever logging in a second time with maximumSessions(1) and maxSessionPreventsLogin(true).

A workaround is for an application to define its own @bean sessionRegistry(), and use it with "ConcurrencyControlConfigurer.sessionRegistry(sessionRegistry())". But this shouldn't be necessary.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Apr 25, 2014

Rob Winch said:

Scheduled at 4.0.x since there is a simple work around and because the fix is likely going to require Spring 4+

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Nov 19, 2014

Rob Winch said:

Thanks for the bug report! The good news is I found a way to fix this in 3.2.x as well. The fix is pushed to master and 3.2.x now.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Nov 20, 2014

John Vasileff said:

That's great, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.