Hi, I working on a Wicket frontend to AppFuse and I would like to consult one Spring Security related thing. Wicket doesn't allow to use custom values in form actions and I cannot direct user's browser to /j_security_check after Login button is clicked. I mitigated it using AuthenticationManager.authenticate() directly (with username and password read from a form as described in a documentation) and it generally works fine.

Recently I wanted to use ConcurrentSessionControlStrategy, but when j_security_check (and UsernamePasswordAuthenticationFilter) is omitted ConcurrentSessionControlStrategy doesn't know about newly logged user. I can directly call onAuthentication() on it (together with HttpSessionEventPublisher to detect when a session is destroyed), but it doesn't look good and I worry I can miss something important in some other place.

Two questions:
1. Can I somehow simulate calling functions offered by SessionManagementFilter (and its friends) without direct an user to /j_security_check?
2. Is it safe to use directly ConcurrentSessionControlStrategy.onAuthentication( ) (or just SessionRegistry.registerNewSession() to get a list of active users later)?

Marcin