Skip to content

Commit 2ddb665

Browse files
authored
Add note about overriding equals() and hashCode() in custom UserDetails
This commit adds a documentation note explaining the importance of overriding equals() and hashCode() in custom UserDetails implementations. The default SessionRegistryImpl in Spring Security uses an in-memory ConcurrentMap<Object, Set<String>>, Map<String,SessionInformation> to associate principals with sessions. If a custom UserDetails class does not properly override equals() and hashCode(), user sessions may not be tracked or matched correctly. I believe this helps developers avoid subtle session management issues when implementing custom authentication logic. Signed-off-by: Gurunathan <[email protected]>
1 parent 665a34d commit 2ddb665

File tree

1 file changed

+7
-0
lines changed

1 file changed

+7
-0
lines changed

docs/modules/ROOT/pages/servlet/authentication/session-management.adoc

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -589,6 +589,13 @@ public class MaximumSessionsPreventLoginTests {
589589
If you are using a customized authentication filter for form-based login, then you have to configure concurrent session control support explicitly.
590590
You can try it using the {gh-samples-url}/servlet/spring-boot/java/session-management/maximum-sessions-prevent-login[Maximum Sessions Prevent Login sample].
591591

592+
[NOTE]
593+
=====
594+
If you are using a custom implementation of `UserDetails`, ensure you override the **equals()** and **hashCode()** methods.
595+
The default `SessionRegistry` implementation in Spring Security relies on an in-memory Map that uses these methods to correctly identify and manage user sessions.
596+
Failing to override them may lead to issues where session tracking and user comparison behave unexpectedly.
597+
=====
598+
592599
== Detecting Timeouts
593600

594601
Sessions expire on their own, and there is nothing that needs to be done to ensure that a security context gets removed.

0 commit comments

Comments
 (0)