spring获取不到在线用户数,列表为空，getAllPrincipals()获取不到

XML是照着文档编写的，启动也没报错

<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
       <!-- 增加一个自定义的filter，放在FILTER_SECURITY_INTERCEPTOR之前，
                                  实现用户、角色、权限、资源的数据库管理。  -->
        <custom-filter ref="myFilter" before="FILTER_SECURITY_INTERCEPTOR"/> 

       <session-management invalid-session-url="/jsp/common/sessionTimeout.jsp"  session-authentication-strategy-ref="sas"/>
 <beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
        <beans:property name="sessionRegistry" ref="sessionRegistry" />
        <beans:property name="expiredUrl" value="/jsp/common/session-expired.jsp" />
        <beans:property name="logoutHandlers">  
            <beans:list>
               <beans:ref local="logoutHandler"/>
            </beans:list> 
        </beans:property>  
    </beans:bean>

    <!-- 注销监听器  -->  
    <beans:bean id="logoutHandler"  
        class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">  
        <beans:property name="InvalidateHttpSession" value="true" />  
    </beans:bean>

   <beans:bean id="sas"  
    class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">  
    <beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    <beans:property name="maximumSessions" value="1" />
   </beans:bean>

   <beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl"/>

然后写了一个controller，方法如下

 @Autowired  PermissionService permissionService;

    @Autowired  
    @Qualifier("sessionRegistry")
    SessionRegistry sessionRegistry;


    //@Resource(name="sessionRegistry")
    ///private SessionRegistryImpl sessionRegistry;
    /**
     * 强制让用户下线
     * @throws Exception 
     */
    @RequestMapping("/shotOff")
    @ResponseBody
    public Map<String, Object> shotOff(String username) throws Exception{

        Map<String, Object> map = new HashMap<String, Object>();

        SysUsersCustom sysUsersCustom = new SysUsersCustom();

        sysUsersCustom.setUserAccount(username);

        SysUsersCustom users = permissionService.selectLoginerInfoByUserAccount(sysUsersCustom, username);

        //用户列表
        List<Object> userList=sessionRegistry.getAllPrincipals();  

        for(int i=0; i<userList.size(); i++){  
            User userTemp=(User) userList.get(i);
            if(userTemp.getUsername().equals(username))
            {
                List<SessionInformation> sessionInformationList = sessionRegistry.getAllSessions(userTemp, false);
                if (sessionInformationList!=null) {   
                    for (SessionInformation sis : sessionInformationList) {  
                        sis.expireNow();  
                        sessionRegistry.removeSessionInformation(sis.getSessionId());  
                        String remark=userTemp.getUsername()+"被管理员"+Common.findAuthenticatedUsername()+"踢出";  
                        //loginLogService.logoutLog(userTemp, sessionId, remark);     //记录注销日志和减少在线用户1个  
                        //logger.info(userTemp.getId()+"  "+userTemp.getName()+"用户会话销毁，" + remark);
                        System.out.print(remark);

                    }
                    map.put("status", "y");
                    map.put("info", "强制下线成功！");
                }else{
                    map.put("status", "n");
                    map.put("info", "用户会话信息不存在！");
                }
            }else{
                map.put("status", "n");
                map.put("info", "记录表中不存在当前用户！");
            }
        }

        return map;
    }

但sessionRegistry.getAllPrincipals()一直获取不到在线用户数，不知道问题出在哪里