SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()

If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.
2010-01-19 01:07:33 +00:00 · 2010-01-19 01:07:33 +00:00 · 1a7f71fc0f
parent 8137a8bcd0
commit 1a7f71fc0f
3 changed files with 4 additions and 4 deletions
--- a/core/src/main/java/org/springframework/security/core/session/SessionRegistryImpl.java
+++ b/core/src/main/java/org/springframework/security/core/session/SessionRegistryImpl.java
@ -62,7 +62,7 @@ public class SessionRegistryImpl implements SessionRegistry, ApplicationListener
        final Set<String> sessionsUsedByPrincipal = principals.get(principal);

        if (sessionsUsedByPrincipal == null) {
-            return null;
+            return Collections.emptyList();
        }

        List<SessionInformation> list = new ArrayList<SessionInformation>(sessionsUsedByPrincipal.size());
--- a/core/src/test/java/org/springframework/security/core/session/SessionRegistryImplTests.java
+++ b/core/src/test/java/org/springframework/security/core/session/SessionRegistryImplTests.java
@ -117,7 +117,7 @@ public class SessionRegistryImplTests {

        // Check attempts to retrieve cleared session return null
        assertNull(sessionRegistry.getSessionInformation(sessionId));
-        assertNull(sessionRegistry.getAllSessions(principal, false));
+        assertEquals(0, sessionRegistry.getAllSessions(principal, false).size());
    }

    @Test
@ -168,7 +168,7 @@ public class SessionRegistryImplTests {

        sessionRegistry.removeSessionInformation(sessionId2);
        assertNull(sessionRegistry.getSessionInformation(sessionId2));
-        assertNull(sessionRegistry.getAllSessions(principal, false));
+        assertEquals(0, sessionRegistry.getAllSessions(principal, false).size());
    }

    private boolean contains(String sessionId, Object principal) {
--- a/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java
@ -69,7 +69,7 @@ public class ConcurrentSessionControlStrategy extends SessionFixationProtectionS

        final List<SessionInformation> sessions = sessionRegistry.getAllSessions(authentication.getPrincipal(), false);

-        int sessionCount = sessions == null ? 0 : sessions.size();
+        int sessionCount = sessions.size();
        int allowedSessions = getMaximumSessionsForThisUser(authentication);

        if (sessionCount < allowedSessions) {