Just a question about Spring Security and session invalidation.
When a session is invalidated by the ConcurrentSessionControlStrategy the session is removed from the SessionRegistry by calling the removeSessionInformation method however when a session is invalidated by a manual logout the HttpSession is invalidated but there is no call to the SessionRegistry to remove entries from there.
I have added the HttpSessionEventPublisher as a listener which is capturing the HttpSessionDestroyedEvent event but again no call to the SessionRegistry.
I have worked around this by creating my own implementation of the LogoutFilter and adding a handler to manually call removeSessionInformation but I would prefer to be able to use the standard spring annotations if possible. (NB I can't use the success-handler-ref field of the standard logout tag as the session has already been invalidated so I can't access the session ID)
Is there something I'm missing here or is this just something that Spring have missed?
This is using Spring Security 3.1.0 by the way.
I had the same problem. In my case solution was to create SessionRegistry as a separate spring bean. ConcurrentSessionControlStrategy holds link to registry so it can remove invalid session from it directly. But SecurityContextLogoutHandler uses session.invalidate() so sessionDestroyed servlet event is provided to HttpSessionEventPublisher by servlet container, but HttpSessionDestroyedEvent published to Spring context by HttpSessionEventPublisher doesn't come to SessionRegistry when it's not a spring bean.
This security config didn't work:
...
SessionRegistry sessionRegistry = new SessionRegistryImpl();
ConcurrentSessionControlStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlStrategy(sessionRegistry);
...
This one works fine:
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
...
ConcurrentSessionControlStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlStrategy(sessionRegistry())
...