Remove Redundant ConcurrentSessionFilter Refs

Fixes gh-8105
2025-03-27 10:28:33 +00:00 · 2020-03-13 16:20:59 -06:00 · 2020-03-13 16:20:59 -06:00 · bfd36d9a54
commit bfd36d9a54
parent 7411f25474
3 changed files with 5 additions and 8 deletions
--- a/config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -136,14 +136,12 @@ public interface HttpSecurityBuilder<H extends HttpSecurityBuilder<H>> extends
 	 *
 	 * <ul>
 	 * <li>{@link ChannelProcessingFilter}</li>
-	 * <li>{@link ConcurrentSessionFilter}</li>
 	 * <li>{@link SecurityContextPersistenceFilter}</li>
 	 * <li>{@link LogoutFilter}</li>
 	 * <li>{@link X509AuthenticationFilter}</li>
 	 * <li>{@link AbstractPreAuthenticatedProcessingFilter}</li>
 	 * <li><a href="{@docRoot}/org/springframework/security/cas/web/CasAuthenticationFilter.html">CasAuthenticationFilter</a></li>
 	 * <li>{@link UsernamePasswordAuthenticationFilter}</li>
-	 * <li>{@link ConcurrentSessionFilter}</li>
 	 * <li>{@link OpenIDAuthenticationFilter}</li>
 	 * <li>{@link org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter}</li>
 	 * <li>{@link org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter}</li>
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterComparator.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterComparator.java
@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2013 the original author or authors.
+ * Copyright 2002-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@ -63,7 +63,7 @@ final class FilterComparator implements Comparator<Filter>, Serializable {
 	FilterComparator() {
 		Step order = new Step(INITIAL_ORDER, ORDER_STEP);
 		put(ChannelProcessingFilter.class, order.next());
-		put(ConcurrentSessionFilter.class, order.next());
+		order.next(); // gh-8105
 		put(WebAsyncManagerIntegrationFilter.class, order.next());
 		put(SecurityContextPersistenceFilter.class, order.next());
 		put(HeaderWriterFilter.class, order.next());
@ -87,7 +87,7 @@ final class FilterComparator implements Comparator<Filter>, Serializable {
 				"org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter",
 				order.next());
 		put(UsernamePasswordAuthenticationFilter.class, order.next());
-		put(ConcurrentSessionFilter.class, order.next());
+		order.next(); // gh-8105
 		filterToOrder.put(
 				"org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());
 		put(DefaultLoginPageGeneratingFilter.class, order.next());
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/security-filters.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/security-filters.adoc
@ -9,7 +9,6 @@ However, there are times that it is beneficial to know the ordering
 Below is a comprehensive list of Spring Security Filter ordering:

 * ChannelProcessingFilter
-* ConcurrentSessionFilter
 * WebAsyncManagerIntegrationFilter
 * SecurityContextPersistenceFilter
 * HeaderWriterFilter
@ -24,10 +23,10 @@ Below is a comprehensive list of Spring Security Filter ordering:
 * OAuth2LoginAuthenticationFilter
 * Saml2WebSsoAuthenticationFilter
 * <<servlet-authentication-usernamepasswordauthenticationfilter,`UsernamePasswordAuthenticationFilter`>>
-* ConcurrentSessionFilter
 * OpenIDAuthenticationFilter
 * DefaultLoginPageGeneratingFilter
 * DefaultLogoutPageGeneratingFilter
+* ConcurrentSessionFilter
 * <<servlet-authentication-digest,`DigestAuthenticationFilter`>>
 * BearerTokenAuthenticationFilter
 * <<servlet-authentication-basic,`BasicAuthenticationFilter`>>