Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-2574: Default JavaConfig SessionRegistryImpl does not receive SessionDestroyedEvents #2788
SessionManagementConfigurer creates a default SessionRegistryImpl directly, without wiring it as a Spring bean. So, the SessionRegistryImpl does not receive SessionDestroyedEvents and does not maintain an accurate list of current sessions.
Once consequence of this is that concurrency control will work off inaccurate data, and in the worst case prevents users from ever logging in a second time with maximumSessions(1) and maxSessionPreventsLogin(true).
A workaround is for an application to define its own @bean sessionRegistry(), and use it with "ConcurrencyControlConfigurer.sessionRegistry(sessionRegistry())". But this shouldn't be necessary.