SEC-2489: Document equals and hashcode should be overridden on UserDetails when using concurrent session authentication control #2709
Labels
in: docs
An issue in Documentation or samples
in: web
An issue in web modules (web, webmvc)
type: jira
An issue that was migrated from JIRA
type: task
A general task
Comments
spring-projects-issues
added
in: docs
|
👍 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Quinten Krijger (Migrated from SEC-2489) said:
The implementation of the ConcurrentSessionControlAuthenticationStrategy calls SessionRegistryImpl.getAllSessions, which uses a map from principal to sessions. Therefore, if one implements UserDetails the equals() and hashcode() should be overridden. Otherwise, the strategy will not work.
My proposal here is to document a warning at http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#ns-concurrent-sessions and http://docs.spring.io/spring-security/site/docs/3.2.x/reference/htmlsingle/#concurrent-sessions that the UserDetails implementation should override equals and hashcode in order for the stategy to function.
The text was updated successfully, but these errors were encountered: