SEC-266: Handle -1 allowing unlimited logins, as per JavaDocs.

core/src/main/java/org/acegisecurity/concurrent/ConcurrentSessionControllerImpl.java

@@ -121,6 +121,10 @@ public class ConcurrentSessionControllerImpl
             "getMaximumSessionsForThisUser() must return either -1 to allow unlimited logins, or a positive integer to specify a maximum");
 
         if (sessionCount < allowableSessions) {
+        	// They haven't got too many login sessions running at present
+            return;
+        } else if (allowableSessions == -1) {
+        	// We permit unlimited logins
         	return;
         } else if (sessionCount == allowableSessions) {
             // Only permit it though if this request is associated with one of the sessions