search

spring-projects / spring-security

Spring Security
http://spring.io/projects/spring-security
Apache License 2.0
8.76k stars 5.88k forks source link

Security Filter ConcurrentSessionFilter's registration is confusing #8105

Closed ghusta closed 4 years ago

ghusta commented 4 years ago

Summary

It's not very clear in which order the security filter ConcurrentSessionFilter is registered.

Actual Behavior

The different security filters are registered in org.springframework.security.config.annotation.web.builders.FilterComparator, each with a different order.

But ConcurrentSessionFilter is registered 3 times. As the filters are stored in a Map, only the last one is retained however.

Also in the documentation, at Security Filters it is written twice, which is not possible.

There's also a mistake in the javadoc for org.springframework.security.config.annotation.web.HttpSecurityBuilder#addFilter

Expected Behavior

ConcurrentSessionFilter should only be registered once.

Version

All versions including 5.3

jzheaux commented 4 years ago

Good catch, @ghusta. I've removed the ambiguity and cleaned up the documentation.

ghusta commented 4 years ago

Thanks !