SEC-1372: Return an empty list rather than null from SessionRegistryImpl.getAllSessions()

If the principal has no sessions, null is returned which contradicts the interface contract. In practice it didn't matter as the null was checked for, but it is cleaner to disallow a null value.

core/src/main/java/org/springframework/security/core/session/SessionRegistryImpl.java

@@ -62,7 +62,7 @@ public class SessionRegistryImpl implements SessionRegistry, ApplicationListener
         final Set<String> sessionsUsedByPrincipal = principals.get(principal);
 
         if (sessionsUsedByPrincipal == null) {
-            return null;
+            return Collections.emptyList();
         }
 
         List<SessionInformation> list = new ArrayList<SessionInformation>(sessionsUsedByPrincipal.size());

core/src/test/java/org/springframework/security/core/session/SessionRegistryImplTests.java

@@ -117,7 +117,7 @@ public class SessionRegistryImplTests {
 
         // Check attempts to retrieve cleared session return null
         assertNull(sessionRegistry.getSessionInformation(sessionId));
-        assertNull(sessionRegistry.getAllSessions(principal, false));
+        assertEquals(0, sessionRegistry.getAllSessions(principal, false).size());
     }
 
     @Test
@@ -168,7 +168,7 @@ public class SessionRegistryImplTests {
 
         sessionRegistry.removeSessionInformation(sessionId2);
         assertNull(sessionRegistry.getSessionInformation(sessionId2));
-        assertNull(sessionRegistry.getAllSessions(principal, false));
+        assertEquals(0, sessionRegistry.getAllSessions(principal, false).size());
     }
 
     private boolean contains(String sessionId, Object principal) {

web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java

@@ -69,7 +69,7 @@ public class ConcurrentSessionControlStrategy extends SessionFixationProtectionS
 
         final List<SessionInformation> sessions = sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
 
-        int sessionCount = sessions == null ? 0 : sessions.size();
+        int sessionCount = sessions.size();
         int allowedSessions = getMaximumSessionsForThisUser(authentication);
 
         if (sessionCount < allowedSessions) {