Closed spring-projects-issues closed 11 years ago
Michael (Migrated from SEC-2057) said:
According to the docs here: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e3278
The location of the filter is: "2) ConcurrentSessionFilter, because it doesn't use any SecurityContextHolder functionality..."
But as you can see in this line here, it is used. https://github.com/SpringSource/spring-security/blob/master/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java#L133
It never gets populated due to the location in the filter chain and the Authentication object is always null.
Rob Winch said:
Thank you for your bug report. I have pushed out the following updates to 3.1.x (master) and 3.0.x:
Michael (Migrated from SEC-2057) said:
According to the docs here: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e3278
The location of the filter is: "2) ConcurrentSessionFilter, because it doesn't use any SecurityContextHolder functionality..."
But as you can see in this line here, it is used. https://github.com/SpringSource/spring-security/blob/master/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java#L133
It never gets populated due to the location in the filter chain and the Authentication object is always null.