5 years ago · bfd36d9a54
--- a/config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/HttpSecurityBuilder.java
@@ -1,5 +1,5 @@
 
				 /*
			
 
				- * Copyright 2002-2013 the original author or authors.
			
 
				+ * Copyright 2002-2020 the original author or authors.
			
 
				  *
			
 
				  * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				  * you may not use this file except in compliance with the License.
			
@@ -136,14 +136,12 @@ public interface HttpSecurityBuilder<H extends HttpSecurityBuilder<H>> extends
 
				 	 *
			
 
				 	 * <ul>
			
 
				 	 * <li>{@link ChannelProcessingFilter}</li>
			
 
				-	 * <li>{@link ConcurrentSessionFilter}</li>
			
 
				 	 * <li>{@link SecurityContextPersistenceFilter}</li>
			
 
				 	 * <li>{@link LogoutFilter}</li>
			
 
				 	 * <li>{@link X509AuthenticationFilter}</li>
			
 
				 	 * <li>{@link AbstractPreAuthenticatedProcessingFilter}</li>
			
 
				 	 * <li><a href="{@docRoot}/org/springframework/security/cas/web/CasAuthenticationFilter.html">CasAuthenticationFilter</a></li>
			
 
				 	 * <li>{@link UsernamePasswordAuthenticationFilter}</li>
			
 
				-	 * <li>{@link ConcurrentSessionFilter}</li>
			
 
				 	 * <li>{@link OpenIDAuthenticationFilter}</li>
			
 
				 	 * <li>{@link org.springframework.security.web.authentication.ui.DefaultLoginPageGeneratingFilter}</li>
			
 
				 	 * <li>{@link org.springframework.security.web.authentication.ui.DefaultLogoutPageGeneratingFilter}</li>
			
--- a/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterComparator.java
+++ b/config/src/main/java/org/springframework/security/config/annotation/web/builders/FilterComparator.java
@@ -1,5 +1,5 @@
 
				 /*
			
 
				- * Copyright 2002-2013 the original author or authors.
			
 
				+ * Copyright 2002-2020 the original author or authors.
			
 
				  *
			
 
				  * Licensed under the Apache License, Version 2.0 (the "License");
			
 
				  * you may not use this file except in compliance with the License.
			
@@ -63,7 +63,7 @@ final class FilterComparator implements Comparator<Filter>, Serializable {
 
				 	FilterComparator() {
			
 
				 		Step order = new Step(INITIAL_ORDER, ORDER_STEP);
			
 
				 		put(ChannelProcessingFilter.class, order.next());
			
 
				-		put(ConcurrentSessionFilter.class, order.next());
			
 
				+		order.next(); // gh-8105
			
 
				 		put(WebAsyncManagerIntegrationFilter.class, order.next());
			
 
				 		put(SecurityContextPersistenceFilter.class, order.next());
			
 
				 		put(HeaderWriterFilter.class, order.next());
			
@@ -87,7 +87,7 @@ final class FilterComparator implements Comparator<Filter>, Serializable {
 
				 				"org.springframework.security.saml2.provider.service.servlet.filter.Saml2WebSsoAuthenticationFilter",
			
 
				 				order.next());
			
 
				 		put(UsernamePasswordAuthenticationFilter.class, order.next());
			
 
				-		put(ConcurrentSessionFilter.class, order.next());
			
 
				+		order.next(); // gh-8105
			
 
				 		filterToOrder.put(
			
 
				 				"org.springframework.security.openid.OpenIDAuthenticationFilter", order.next());
			
 
				 		put(DefaultLoginPageGeneratingFilter.class, order.next());
			
--- a/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/security-filters.adoc
+++ b/docs/manual/src/docs/asciidoc/_includes/servlet/architecture/security-filters.adoc
@@ -9,7 +9,6 @@ However, there are times that it is beneficial to know the ordering
 
				 Below is a comprehensive list of Spring Security Filter ordering:
			
 
				 
			
 
				 * ChannelProcessingFilter
			
 
				-* ConcurrentSessionFilter
			
 
				 * WebAsyncManagerIntegrationFilter
			
 
				 * SecurityContextPersistenceFilter
			
 
				 * HeaderWriterFilter
			
@@ -24,10 +23,10 @@ Below is a comprehensive list of Spring Security Filter ordering:
 
				 * OAuth2LoginAuthenticationFilter
			
 
				 * Saml2WebSsoAuthenticationFilter
			
 
				 * <<servlet-authentication-usernamepasswordauthenticationfilter,`UsernamePasswordAuthenticationFilter`>>
			
 
				-* ConcurrentSessionFilter
			
 
				 * OpenIDAuthenticationFilter
			
 
				 * DefaultLoginPageGeneratingFilter
			
 
				 * DefaultLogoutPageGeneratingFilter
			
 
				+* ConcurrentSessionFilter
			
 
				 * <<servlet-authentication-digest,`DigestAuthenticationFilter`>>
			
 
				 * BearerTokenAuthenticationFilter
			
 
				 * <<servlet-authentication-basic,`BasicAuthenticationFilter`>>