ACEGI @ ConcurrentSessionFilter

this filter must be first in the filter chan.it use for concurrentSessionController.in ConcurrentSessionFilter,u must remove the expired
session info,other wise the expired ie will expired for ever.
(because some times after
session.invalidate(),the HttpSession session = httpRequest.getSession(false) not null.I don't know weathe is the problem of the
servlet)

and it also set the session.invalidate(),this will clear the context in the session.

the HttpSessionContextIntegrationFilter will create a new security
context in the session or get the security context from the session
if the session is not invalidate. SecurityContextHolder.setContext
will invoked each request because it may be that in the filter chain the context in SecurityContextHolder has chaned.

I see some people invokeing sessionRegistry.removeSessionInformation(session.getId()); in the logout filter.it seems needless.


[code]getSession
public HttpSession getSession(boolean create)Returns the current HttpSession associated with this request or, if if there is no current session and create is true, returns a new session.
If create is false and the request has no valid HttpSession, this method returns null.

To make sure the session is properly maintained, you must call this method before the response is committed. If the container is using cookies to maintain session integrity and is asked to create a new session when the response is committed, an IllegalStateException is thrown.

[/code]