SEC-2057: ConcurrentSessionFilter is now after SecurityContextPersistenceFilter

Previously, ConcurrentSessionFilter was placed after SecurityContextPersistenceFilter
which meant that the SecurityContextHolder was empty when ConcurrentSessionFilter was
invoked. This caused the Authentication to be null when performing a logout. It also
caused complications with LogoutHandler implementations that would be accessing the
SecurityContextHolder and potentially clear it out expecting that
SecurityContextPersistenceFilter would then clear the SecurityContextRepository.

The ConcurrentSessionFilter is now positioned after the
SecurityContextPersistenceFilter to ensure that the SecurityContextHolder is populated
and cleared out appropriately.

config/src/main/java/org/springframework/security/config/http/SecurityFilters.java

@@ -10,8 +10,8 @@ package org.springframework.security.config.http;
 enum SecurityFilters {
     FIRST (Integer.MIN_VALUE),
     CHANNEL_FILTER,
-    CONCURRENT_SESSION_FILTER,
     SECURITY_CONTEXT_FILTER,
+    CONCURRENT_SESSION_FILTER,
     LOGOUT_FILTER,
     X509_FILTER,
     PRE_AUTH_FILTER,

config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java

@@ -787,7 +787,7 @@ public class HttpSecurityBeanDefinitionParserTests {
                 "</http>" + AUTH_PROVIDER_XML);
         List<Filter> filters = getFilters("/someurl");
 
-        assertTrue(filters.get(0) instanceof ConcurrentSessionFilter);
+        assertTrue(filters.get(1) instanceof ConcurrentSessionFilter);
         assertNotNull(appContext.getBean("sr"));
         SessionManagementFilter smf = getFilter(SessionManagementFilter.class);
         assertNotNull(smf);

docs/manual/src/docbook/namespace-config.xml

@@ -570,9 +570,9 @@ List&lt;OpenIDAttribute> attributes = token.getAttributes();</programlisting>The
                   align="center">Namespace Element or
                   Attribute</entry></row></thead><tbody><row><entry>
                     CHANNEL_FILTER</entry><entry><literal>ChannelProcessingFilter</literal></entry><entry><literal>http/intercept-url@requires-channel</literal></entry></row><row><entry>
+                  SECURITY_CONTEXT_FILTER</entry><entry><classname>SecurityContextPersistenceFilter</classname></entry><entry><literal>http</literal></entry></row><row><entry>
                   CONCURRENT_SESSION_FILTER</entry><entry><literal>ConcurrentSessionFilter</literal>
                 </entry><entry><literal>session-management/concurrency-control</literal></entry></row><row><entry>
-                  SECURITY_CONTEXT_FILTER</entry><entry><classname>SecurityContextPersistenceFilter</classname></entry><entry><literal>http</literal></entry></row><row><entry>
                   LOGOUT_FILTER
                     </entry><entry><literal>LogoutFilter</literal></entry><entry><literal>http/logout</literal></entry></row><row><entry>
                   X509_FILTER

docs/manual/src/docbook/security-filter-chain.xml

@@ -132,16 +132,19 @@
       filters you are actually using, the order should be as follows:
               <orderedlist><listitem><para><classname>ChannelProcessingFilter</classname>, because
             it might need to redirect to a different
-              protocol</para></listitem><listitem><para><classname>ConcurrentSessionFilter</classname>,
-            because it doesn't use any <classname>SecurityContextHolder</classname> functionality
-            but needs to update the <interfacename>SessionRegistry</interfacename> to reflect
-            ongoing requests from the
-              principal</para></listitem><listitem><para><classname>SecurityContextPersistenceFilter</classname>,
+              protocol</para></listitem><listitem><para><classname>SecurityContextPersistenceFilter</classname>,
             so a <interfacename>SecurityContext</interfacename> can be set up in the
               <classname>SecurityContextHolder</classname> at the beginning of a web request, and
             any changes to the <interfacename>SecurityContext</interfacename> can be copied to the
               <literal>HttpSession</literal> when the web request ends (ready for use with the next
-            web request)</para></listitem><listitem><para>Authentication processing mechanisms -
+            web request)</para></listitem>
+            <listitem>
+                <para><classname>ConcurrentSessionFilter</classname>, because it uses the
+                    <classname>SecurityContextHolder</classname> functionality but needs to update
+                    the <interfacename>SessionRegistry</interfacename> to reflect ongoing requests
+                    from the principal</para>
+            </listitem>
+            <listitem><para>Authentication processing mechanisms -
               <classname>UsernamePasswordAuthenticationFilter</classname>,
               <classname>CasAuthenticationFilter</classname>,
               <classname>BasicAuthenticationFilter</classname> etc - so that the