SEC-2057: ConcurrentSessionFilter documentation incorrectly states it doesn't rely on SecurityContextHolder, results in null to all logout handlers Authentication object - Githubissues

spring-projects / spring-security

Spring Security

http://spring.io/projects/spring-security

Apache License 2.0

8.72k stars 5.86k forks source link

SEC-2057: ConcurrentSessionFilter documentation incorrectly states it doesn't rely on SecurityContextHolder, results in null to all logout handlers Authentication object #2281

Closed spring-projects-issues closed 11 years ago

spring-projects-issues commented 11 years ago

Michael (Migrated from SEC-2057) said:

According to the docs here: http://static.springsource.org/spring-security/site/docs/3.1.x/reference/springsecurity-single.html#d0e3278

The location of the filter is: "2) ConcurrentSessionFilter, because it doesn't use any SecurityContextHolder functionality..."

But as you can see in this line here, it is used. https://github.com/SpringSource/spring-security/blob/master/web/src/main/java/org/springframework/security/web/session/ConcurrentSessionFilter.java#L133

It never gets populated due to the location in the filter chain and the Authentication object is always null.

spring-projects-issues commented 11 years ago

Rob Winch said:

Thank you for your bug report. I have pushed out the following updates to 3.1.x (master) and 3.0.x:

Updated the documentation to state that SecurityContextHolder is now used
Changed the order the Filter's are inserted when using the namespace configuration