-
Notifications
You must be signed in to change notification settings - Fork 5.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use SessionAuthenticationStrategy for Remember-Me authentication #15748
Use SessionAuthenticationStrategy for Remember-Me authentication #15748
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR, @xhaggi! Could you add a unit test that confirms the desired behavior (concurrency control) works, for example when the DSL configures a max number of sessions and the remember me filter exceeds that?
5e86336
to
a9147d0
Compare
@jzheaux of course. I have added the unit test. |
d3861e5
to
1717d59
Compare
BTW is there any chance that this will be backported to earlier versions? |
1717d59
to
f48a277
Compare
Hi, @xhaggi, no, it's not likely, given that there is a behavioral change and a new public API. That said, what version were you hoping to backport it to and what is preventing you from upgrading? |
I was thinking of the last stable version 6.3.x.
Nothing, but we have to wait for the next stable 😉 |
As described in gh-2253, the
RememberMeAuthenticationFilter
does not call the configuredSessionAuthenticationStrategy
if there is one, and therefore concurrent session control does not work properly.This PR adapts the
RememberMeAuthenticationFilter
so that it calls theSessionAuthenticationStrategy
on successful authentication as theAbstractAuthenticationProcessingFilter
does. The sharedSessionAuthenticationStrategy
is then used in theRememberMeConfigurer
to configure the filter like it is done inFormLoginConfigurer
.Let me know if anything is missing!