From a362ab53bc2b92e8fdc1f75f77f1c46303e3d48a Mon Sep 17 00:00:00 2001
From: Alexander Polozov <polozov.dev@gmail.com>
Date: Tue, 27 Oct 2020 02:30:28 +0400
Subject: [PATCH] Change guard expressions order

Check of allowed user sessions count moved to head for avoid unnecessary fetching all user sessions.
---
 ...urrentSessionControlAuthenticationStrategy.java | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategy.java
index 7e96cf3d75..c35a80c526 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlAuthenticationStrategy.java
@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2019 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -94,17 +94,17 @@ public class ConcurrentSessionControlAuthenticationStrategy
 	@Override
 	public void onAuthentication(Authentication authentication, HttpServletRequest request,
 			HttpServletResponse response) {
-		List<SessionInformation> sessions = this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
-		int sessionCount = sessions.size();
 		int allowedSessions = getMaximumSessionsForThisUser(authentication);
-		if (sessionCount < allowedSessions) {
-			// They haven't got too many login sessions running at present
-			return;
-		}
 		if (allowedSessions == -1) {
 			// We permit unlimited logins
 			return;
 		}
+		List<SessionInformation> sessions = this.sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
+		int sessionCount = sessions.size();
+		if (sessionCount < allowedSessions) {
+			// They haven't got too many login sessions running at present
+			return;
+		}
 		if (sessionCount == allowedSessions) {
 			HttpSession session = request.getSession(false);
 			if (session != null) {