我使用ConcurrentSessionControlStrategy和自己的sessionRegistry实现进行了有效的配置。我升级到Spring Security 3.2.4，不得不将ConcurrentSessionControlStrategy更改为ConcurrentSessionControlAuthenticationStrategy。现在看来sessionRegistry没有连接，这意味着ConcurrentSessionControlAuthenticationStrategy.onAuthenticaton没有输入sessionRegistry.registerNewSession。该怎么办？

我的配置xml:

    <security:http use-expressions="true" auto-config="false"
        entry-point-ref="loginUrlAuthenticationEntryPoint">


        <security:intercept-url pattern="/**"
            access="isAuthenticated()" />

        <security:custom-filter position="FORM_LOGIN_FILTER"
            ref="twoFactorAuthenticationFilter" />



        <security:logout logout-url="/player/logout"
            logout-success-url="/demo/player/logoutSuccess" />

        <security:session-management>
            <security:concurrency-control
                max-sessions="1" session-registry-ref="clusteredSessionRegistryImpl"
                error-if-maximum-exceeded="false" />
        </security:session-management>

    </security:http>



    <bean
        class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
        <constructor-arg ref="clusteredSessionRegistryImpl" />
        <property name="maximumSessions" value="1" />
    </bean>

    <bean id="loginUrlAuthenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
        <property name="loginFormUrl" value="/demo/player/login?login_error=true" />
    </bean>

    <bean id="twoFactorAuthenticationFilter" class="com.XXX.filter.TwoFactorAuthenticationFilter">
        <property name="authenticationManager" ref="authenticationManager" />
        <property name="authenticationFailureHandler" ref="failureHandler" />
        <property name="authenticationSuccessHandler" ref="playerAuthenticationSuccessHandler" />
        <property name="postOnly" value="true" />
    </bean>


    <bean id="failureHandler"
        class="org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler">
        <property name="defaultFailureUrl" value="/login?login_error=true" />

    </bean>

    <bean id="bCryptPasswordEncoder"
        class="org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder" />

    <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider
            ref="authenticationProvider">
        </security:authentication-provider>
    </security:authentication-manager>

</beans>

似乎我迟到了答案，但无论如何..
ConcurrentSessionControlStrategy的功能现在完全分为三种策略-ConcurrentSessionControlAuthenticationStrategy，SessionFixationProtectionStrategy和RegisterSessionAuthenticationStrategy。

要拥有正确的替代者，您应该使用CompositeSessionAuthenticationStrategy以提及的顺序添加这三个代表。

因此，恐怕在弃用注释中错误地提到了ConcurrentSessionControlAuthenticationStrategy来替代ConcurrentSessionControlStrategy。至少需要RegisterSessionAuthenticationStrategy的可用性才能维护SessionRegistry。否则，SessionRegistry保持为空，并且“替换”始终报告“确定”。

我猜想，该方法已更改为使其更加灵活，可以使用多个处理程序作为委托(而不是一个)(使用CompositeSessionAuthenticationStrategy，您可以让任意数量的SessionAuthenticationStrategy进行独立的 :)事情)。