diff --git a/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java b/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java index af9ea1926c..fee6f66e51 100644 --- a/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java +++ b/config/src/main/java/org/springframework/security/config/http/SecurityFilters.java @@ -10,8 +10,8 @@ package org.springframework.security.config.http; enum SecurityFilters { FIRST (Integer.MIN_VALUE), CHANNEL_FILTER, - CONCURRENT_SESSION_FILTER, SECURITY_CONTEXT_FILTER, + CONCURRENT_SESSION_FILTER, LOGOUT_FILTER, X509_FILTER, PRE_AUTH_FILTER, diff --git a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java index 0a94e12d81..a66fabe2af 100644 --- a/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java +++ b/config/src/test/java/org/springframework/security/config/http/HttpSecurityBeanDefinitionParserTests.java @@ -787,7 +787,7 @@ public class HttpSecurityBeanDefinitionParserTests { "" + AUTH_PROVIDER_XML); List filters = getFilters("/someurl"); - assertTrue(filters.get(0) instanceof ConcurrentSessionFilter); + assertTrue(filters.get(1) instanceof ConcurrentSessionFilter); assertNotNull(appContext.getBean("sr")); SessionManagementFilter smf = getFilter(SessionManagementFilter.class); assertNotNull(smf); diff --git a/docs/manual/src/docbook/namespace-config.xml b/docs/manual/src/docbook/namespace-config.xml index 7d950f92fc..0596a99318 100644 --- a/docs/manual/src/docbook/namespace-config.xml +++ b/docs/manual/src/docbook/namespace-config.xml @@ -570,9 +570,9 @@ List<OpenIDAttribute> attributes = token.getAttributes();The align="center">Namespace Element or Attribute CHANNEL_FILTERChannelProcessingFilterhttp/intercept-url@requires-channel + SECURITY_CONTEXT_FILTERSecurityContextPersistenceFilterhttp CONCURRENT_SESSION_FILTERConcurrentSessionFilter session-management/concurrency-control - SECURITY_CONTEXT_FILTERSecurityContextPersistenceFilterhttp LOGOUT_FILTER LogoutFilterhttp/logout X509_FILTER diff --git a/docs/manual/src/docbook/security-filter-chain.xml b/docs/manual/src/docbook/security-filter-chain.xml index 67d5e36e6b..3950c75e00 100644 --- a/docs/manual/src/docbook/security-filter-chain.xml +++ b/docs/manual/src/docbook/security-filter-chain.xml @@ -132,16 +132,19 @@ filters you are actually using, the order should be as follows: ChannelProcessingFilter, because it might need to redirect to a different - protocolConcurrentSessionFilter, - because it doesn't use any SecurityContextHolder functionality - but needs to update the SessionRegistry to reflect - ongoing requests from the - principalSecurityContextPersistenceFilter, + protocolSecurityContextPersistenceFilter, so a SecurityContext can be set up in the SecurityContextHolder at the beginning of a web request, and any changes to the SecurityContext can be copied to the HttpSession when the web request ends (ready for use with the next - web request)Authentication processing mechanisms - + web request) + + ConcurrentSessionFilter, because it uses the + SecurityContextHolder functionality but needs to update + the SessionRegistry to reflect ongoing requests + from the principal + + Authentication processing mechanisms - UsernamePasswordAuthenticationFilter, CasAuthenticationFilter, BasicAuthenticationFilter etc - so that the