SEC-1143: Fixed by using BeanDefinitionRegistry.isBeanNameInUse() instead of containsBeanDefinition() to check for the SessionRegistry availability. The former picks up the alias registration of the standard bean Id for user's bean Id.

config/src/main/java/org/springframework/security/config/FormLoginBeanDefinitionParser.java

@@ -111,7 +111,7 @@ public class FormLoginBeanDefinitionParser implements BeanDefinitionParser {
                     new RuntimeBeanReference(BeanIds.REMEMBER_ME_SERVICES) );
         }
 
-        if (pc.getRegistry().containsBeanDefinition(BeanIds.SESSION_REGISTRY)) {
+        if (pc.getRegistry().isBeanNameInUse(BeanIds.SESSION_REGISTRY)) {
             filterBean.getPropertyValues().addPropertyValue("sessionRegistry",
                     new RuntimeBeanReference(BeanIds.SESSION_REGISTRY));
         }

config/src/test/java/org/springframework/security/config/HttpSecurityBeanDefinitionParserTests.java

@@ -511,16 +511,20 @@ public class HttpSecurityBeanDefinitionParserTests {
                 "<b:bean id='seshRegistry' class='" + SessionRegistryImpl.class.getName() + "'/>" +
                 AUTH_PROVIDER_XML);
         Object sessionRegistry = appContext.getBean("seshRegistry");
-        Object sessionRegistryFromFilter = FieldUtils.getFieldValue(
+        Object sessionRegistryFromConcurrencyFilter = FieldUtils.getFieldValue(
                 appContext.getBean(BeanIds.CONCURRENT_SESSION_FILTER),"sessionRegistry");
+        Object sessionRegistryFromFormLoginFilter = FieldUtils.getFieldValue(
+                appContext.getBean(BeanIds.FORM_LOGIN_FILTER),"sessionRegistry");
         Object sessionRegistryFromController = FieldUtils.getFieldValue(
                 appContext.getBean(BeanIds.CONCURRENT_SESSION_CONTROLLER),"sessionRegistry");
         Object sessionRegistryFromFixationFilter = FieldUtils.getFieldValue(
                 appContext.getBean(BeanIds.SESSION_FIXATION_PROTECTION_FILTER),"sessionRegistry");
 
-        assertSame(sessionRegistry, sessionRegistryFromFilter);
+        assertSame(sessionRegistry, sessionRegistryFromConcurrencyFilter);
         assertSame(sessionRegistry, sessionRegistryFromController);
         assertSame(sessionRegistry, sessionRegistryFromFixationFilter);
+        // SEC-1143
+        assertSame(sessionRegistry, sessionRegistryFromFormLoginFilter);
     }
 
     @Test(expected=BeanDefinitionParsingException.class)

core/src/main/java/org/springframework/security/util/FieldUtils.java

@@ -91,7 +91,9 @@ public final class FieldUtils {
             field = getField(componentClass, nestedFields[i]);
             field.setAccessible(true);
             value = field.get(value);
-            componentClass = value.getClass();
+            if (value != null) {
+                componentClass = value.getClass();
+            }
         }
 
         return value;