Just a question about Spring Security and session invalidation.
When a session is invalidated by the ConcurrentSessionControlStrategy the session is removed from the SessionRegistry by calling the removeSessionInformation method however when a session is invalidated by a manual logout the HttpSession is invalidated but there is no call to the SessionRegistry to remove entries from there.
I have added the HttpSessionEventPublisher as a listener which is capturing the HttpSessionDestroyedEvent event but again no call to the SessionRegistry.
I have worked around this by creating my own implementation of the LogoutFilter and adding a handler to manually call removeSessionInformation but I would prefer to be able to use the standard spring annotations if possible. (NB I can’t use the success-handler-ref field of the standard logout tag as the session has already been invalidated so I can’t access the session ID)
Is there something I’m missing here or is this just something that Spring have missed?
This is using Spring Security 3.1.0 by the way.
I had the same problem. In my case solution was to create
SessionRegistryas a separate spring bean.ConcurrentSessionControlStrategyholds link to registry so it can remove invalid session from it directly. ButSecurityContextLogoutHandlerusessession.invalidate()sosessionDestroyedservlet event is provided toHttpSessionEventPublisherby servlet container, butHttpSessionDestroyedEventpublished to Spring context byHttpSessionEventPublisherdoesn’t come toSessionRegistrywhen it’s not a spring bean.This security config didn’t work:
This one works fine: