Announcement Announcement Module
Collapse
No announcement yet.
Problem using both AnonymousProcessingFilter and ConcurrentSessionFilter Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Problem using both AnonymousProcessingFilter and ConcurrentSessionFilter

    I've run into an issue that I'm hoping is simply misconfiguration. I'm using both the AnonymousProcessingFilter and the ConcurrentSessionFilter and I was surprised to see that the anonymous user is not excluded from the concurrency check. So each anonymous user's request invalidates the last anonymous user's request. Oddly, the side effect of this is that the latter user is faced with a login screen on their next request even though they are accessing an URL that has both the anonymous and user role associated with it and which they were accessing without logging in prior to their session being invalidated. I see in the ConcurrentSessionControllerImpl where I could override getMaximumSessionsForThisUser and look for an AnonymousAuthenticationToken (and return -1) but I was thinking there must be something else at issue here.

    Here's my filter order (which looks legitimate according to the docs):

    Code:
    		/**=concurrentSessionFilter,httpSessionContextIntegrationFilter,logoutFilter,authenticationProcessingFilter,populateJettyHttpRequestFilter,securityContextHolderAwareRequestFilter,anonymousProcessingFilter,exceptionTranslationFilter,filterInvocationInterceptor
    I can provide more if needed. I just thought that seemed the most likely culprit.

    Thanks,

    Rob

  • #2
    Just a note, I have alwaysReauthenticate set to true in FilterSecurityInterceptor so this may be why others have not seen this.

    Comment

    Working...
    X