Found this note to be quite important and relevant:
> "[21] Authentication by mechanisms which perform a redirect after
> authenticating (such as form-login) will not be detected by
> SessionManagementFilter, as the filter will not be invoked during the
> authenticating request. Session-management functionality has to be
> handled separately in these cases."
[To see links please register here]
Also, apparently a lot of people have troubles getting _sessionRegistry.getAllPrincipals()_ returning something different from an empty array. In my case, I fixed it by adding the _sessionAuthenticationStrategy_ to my custom _authenticationFilter_:
@Bean
public CustomUsernamePasswordAuthenticationFilter authenticationFilter() throws Exception {
...
authenticationFilter.setSessionAuthenticationStrategy(sessionAuthenticationStrategy());
}
@Bean
public SessionRegistry sessionRegistry() {
return new SessionRegistryImpl();
}
//cf.
[To see links please register here]
public SessionAuthenticationStrategy sessionAuthenticationStrategy() {
List<SessionAuthenticationStrategy> stratList = new ArrayList<>();
SessionFixationProtectionStrategy concStrat = new SessionFixationProtectionStrategy();
stratList.add(concStrat);
RegisterSessionAuthenticationStrategy regStrat = new RegisterSessionAuthenticationStrategy(sessionRegistry());
stratList.add(regStrat);
CompositeSessionAuthenticationStrategy compStrat = new CompositeSessionAuthenticationStrategy(stratList);
return compStrat;
}