From ad43d433b40e867de62332f1868d75e46da7c81b Mon Sep 17 00:00:00 2001
From: Luke Taylor <luke.taylor@springsource.com>
Date: Thu, 30 Aug 2007 19:04:18 +0000
Subject: [PATCH] SEC-484: Fix for NPE concurreny issue. Also reinstated
 synchronized on registerNewSession (had removed it for testing).

---
 .../acegisecurity/concurrent/SessionRegistryImpl.java  | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java b/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java
index 8c5c790eaf..43aa401920 100644
--- a/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java
+++ b/core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java
@@ -79,6 +79,10 @@ public class SessionRegistryImpl implements SessionRegistry, ApplicationListener
 				String sessionId = (String) iter.next();
 				SessionInformation sessionInformation = getSessionInformation(sessionId);
 
+                if (sessionInformation == null) {
+                    continue;
+                }
+
                 if (includeExpiredSessions || !sessionInformation.isExpired()) {
 					list.add(sessionInformation);
 				}
@@ -111,7 +115,7 @@ public class SessionRegistryImpl implements SessionRegistry, ApplicationListener
 		}
 	}
 
-	public void registerNewSession(String sessionId, Object principal) {
+	public synchronized void registerNewSession(String sessionId, Object principal) {
 		Assert.hasText(sessionId, "SessionId required as per interface contract");
 		Assert.notNull(principal, "Principal required as per interface contract");
 
@@ -143,7 +147,7 @@ public class SessionRegistryImpl implements SessionRegistry, ApplicationListener
 
 		if (info != null) {
             if (logger.isDebugEnabled()) {
-                logger.debug("Removing " + sessionId + " from set of registered sessions");
+                logger.debug("Removing session " + sessionId + " from set of registered sessions");
             }
             sessionIds.remove(sessionId);
 
@@ -152,7 +156,7 @@ public class SessionRegistryImpl implements SessionRegistry, ApplicationListener
             if (sessionsUsedByPrincipal != null) {
 				synchronized (sessionsUsedByPrincipal) {
                     if (logger.isDebugEnabled()) {
-                        logger.debug("Removing " + sessionId + " from principal's set of registered sessions");
+                        logger.debug("Removing session " + sessionId + " from principal's set of registered sessions");
                     }
 
 					sessionsUsedByPrincipal.remove(sessionId);