It's not very clear in which order the security filter ConcurrentSessionFilter is registered.
Actual Behavior
The different security filters are registered in org.springframework.security.config.annotation.web.builders.FilterComparator, each with a different order.
But ConcurrentSessionFilter is registered 3 times. As the filters are stored in a Map, only the last one is retained however.
Also in the documentation, at Security Filters it is written twice, which is not possible.
There's also a mistake in the javadoc for org.springframework.security.config.annotation.web.HttpSecurityBuilder#addFilter
Expected Behavior
ConcurrentSessionFilter should only be registered once.
Summary
It's not very clear in which order the security filter
ConcurrentSessionFilter
is registered.Actual Behavior
The different security filters are registered in
org.springframework.security.config.annotation.web.builders.FilterComparator
, each with a different order.But
ConcurrentSessionFilter
is registered 3 times. As the filters are stored in a Map, only the last one is retained however.Also in the documentation, at Security Filters it is written twice, which is not possible.
There's also a mistake in the javadoc for org.springframework.security.config.annotation.web.HttpSecurityBuilder#addFilter
Expected Behavior
ConcurrentSessionFilter
should only be registered once.Version
All versions including 5.3