Closed spring-projects-issues closed 10 years ago
Rob Winch said:
I do not agree that this is a bug. The namespace is not meant to be a one to one mapping to the implementation classes (if this were the case namespace config would not be any simpler). Out of curiosity, why do you need unlimited sessions?
Frank Scheffler said:
I need the SessionRegistryImpl to be available for expiration of user sessions, e.g. when users are disabled. However, as far as I understood the registry is registered by the concurrency-control element together with the appropriate filters to add/remove the sessions. So I need to get a hold on the sessions but do not want to limit the concurrency. I know I can solve all this with regular beans, but it is always a little cumbersome.
Rob Winch said:
The namespace is really meant to cover the more common aspects of Spring Security. It is a bit counter intuitive to allow the concurrency control element to declare an unlimited number of users (the whole point of concurrency control is to control the number of users).
This is not to say that your use case is not valid. However, this is a bit of an edge case and we tend to try not to add edge cases to the namespace as it will end up making the namespace just as difficult as the standard bean configuration. I would suggest either entering a large number that is impractical for your users to hit or using a BeanPostProcessor as mentioned on the FAQ to set maxSessions to -1.
Frank Scheffler (Migrated from SEC-1936) said:
According to the JavaDoc in ConcurrentSessionControlStrategy, maxSessions can be set to -1 to allow unlimited number of sessions, however, the Spring security XSD requires us to set a positiveInteger