Skip to content

Advise overriding equals() and hashCode() in UserDetails implementations #17141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 21, 2025
Merged

Advise overriding equals() and hashCode() in UserDetails implementations #17141

merged 1 commit into from
May 21, 2025

Conversation

Gurunathan16
Copy link
Contributor

This commit adds a documentation note explaining the importance of overriding equals() and hashCode() in custom UserDetails implementations.

The default SessionRegistryImpl in Spring Security uses an in-memory ConcurrentMap<Object, Set>, Map<String,SessionInformation> to associate principals with sessions. If a custom UserDetails class does not properly override equals() and hashCode(), user sessions may not be tracked or matched correctly.

I believe this helps developers avoid subtle session management issues when implementing custom authentication logic.

Reference: org.springframework.security.core.session.SessionRegistryImpl

@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label May 19, 2025
@jzheaux jzheaux added this to the 6.3.10 milestone May 21, 2025
@jzheaux jzheaux added in: docs An issue in Documentation or samples type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged labels May 21, 2025
@Gurunathan16 @jzheaux
Advise Overriding equals() and hashCode() in UserDetails Implementations
a4cd6f4 
This commit adds a documentation note explaining the importance of
overriding equals() and hashCode() in custom UserDetails implementations.

The default SessionRegistryImpl in Spring Security uses an in-memory
ConcurrentMap<Object, Set<String>>, Map<String,SessionInformation> to
associate principals with sessions. If a custom UserDetails class does
not properly override equals() and hashCode(), user sessions may not
be tracked or matched correctly.

I believe this helps developers avoid subtle session management issues
when implementing custom authentication logic.

Signed-off-by: Gurunathan <129361658+Gurunathan16@users.noreply.github.com>
@jzheaux jzheaux force-pushed the UserDetails-patch branch from 2ddb665 to a4cd6f4 Compare May 21, 2025 18:43
@jzheaux jzheaux changed the base branch from main to 6.3.x May 21, 2025 18:44
@jzheaux jzheaux self-assigned this May 21, 2025
@jzheaux jzheaux changed the title Add note about overriding equals() and hashCode() in custom UserDetails Advise overriding equals() and hashCode() in UserDetails implementations May 21, 2025
@jzheaux jzheaux merged commit a4cd6f4 into spring-projects:6.3.x May 21, 2025
9 of 12 checks passed
@jzheaux
Copy link
Contributor

jzheaux commented May 21, 2025

Thanks, @Gurunathan16! This is now merged into 6.3.x, 6.4.x, 6.5.x, and main

@Gurunathan16
Copy link
Contributor Author

Thanks a lot for reviewing and merging this, @jzheaux ! 🙌
This was my first open source contribution, and I really appreciate the guidance and support from the Spring team.
Looking forward to contributing more in the future!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jzheaux jzheaux

Labels
in: docs An issue in Documentation or samples type: enhancement A general enhancement
Projects
None yet
Milestone
6.3.10
Development

Successfully merging this pull request may close these issues.
3 participants
@Gurunathan16 @jzheaux @spring-projects-issues