From a4cd6f4278d04535f7029bc84ebd1a2bbff8c1f6 Mon Sep 17 00:00:00 2001 From: Gurunathan <129361658+Gurunathan16@users.noreply.github.com> Date: Mon, 19 May 2025 19:32:12 +0530 Subject: [PATCH] Advise Overriding equals() and hashCode() in UserDetails Implementations This commit adds a documentation note explaining the importance of overriding equals() and hashCode() in custom UserDetails implementations. The default SessionRegistryImpl in Spring Security uses an in-memory ConcurrentMap>, Map to associate principals with sessions. If a custom UserDetails class does not properly override equals() and hashCode(), user sessions may not be tracked or matched correctly. I believe this helps developers avoid subtle session management issues when implementing custom authentication logic. Signed-off-by: Gurunathan <129361658+Gurunathan16@users.noreply.github.com> --- .../pages/servlet/authentication/session-management.adoc | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/docs/modules/ROOT/pages/servlet/authentication/session-management.adoc b/docs/modules/ROOT/pages/servlet/authentication/session-management.adoc index f269c960bc..a0bd2dd526 100644 --- a/docs/modules/ROOT/pages/servlet/authentication/session-management.adoc +++ b/docs/modules/ROOT/pages/servlet/authentication/session-management.adoc @@ -534,6 +534,13 @@ public class MaximumSessionsPreventLoginTests { If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly. You can try it using the {gh-samples-url}/servlet/spring-boot/java/session-management/maximum-sessions-prevent-login[Maximum Sessions Prevent Login sample]. +[NOTE] +===== +If you are using a custom implementation of `UserDetails`, ensure you override the **equals()** and **hashCode()** methods. +The default `SessionRegistry` implementation in Spring Security relies on an in-memory Map that uses these methods to correctly identify and manage user sessions. +Failing to override them may lead to issues where session tracking and user comparison behave unexpectedly. +===== + == Detecting Timeouts Sessions expire on their own, and there is nothing that needs to be done to ensure that a security context gets removed.