I'm learning Spring. Doing the login/logout functionality. This is what my controller looks like:
@RequestMapping(value="/successfulLoginAuth", method=RequestMethod.GET)
public ModelAndView postHttpLogin(HttpSession session, Authentication authInfo)
{
ModelAndView mav = new ModelAndView();
mav.setViewName("redirect:/index.html");
session.setAttribute("authInfo", authInfo);
return mav;
}
The log in is performed via Spring Security using a dao service which I have implemented. That works fine.
This is the content of index.jsp:
<%
HttpSession session1 = request.getSession(false);
Authentication authInfo;
if( (session1 != null) &&
( (authInfo = (Authentication)session1.getAttribute("authInfo")) != null)
)
{
out.print(" yo " + authInfo.getName() + " " + authInfo.getAuthorities().iterator().next().getAuthority());
}
else
{
%>
<a href="${pageContext.request.contextPath}/registration">New? Sign Up!</a><br/>
<a href="${pageContext.request.contextPath}/login">Existing? Sign In!</a><br/>
<%} %>
When i log in, and restart the server, I'm still logged in. Shouldn't the session information be lost after a server restart? If i restart the browser, it works as it should (ie the session info is lost).
This is my Spring Security configuration:
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/" access="permitAll" />
<intercept-url pattern="/logout" access="permitAll" />
<intercept-url pattern="/accessdenied" access="permitAll" />
<form-login login-page="/login" default-target-url="/successfulLoginAuth" authentication-failure-url="/accessdenied" />
<logout logout-success-url="/logout" />
</http>
<authentication-manager>
<authentication-provider user-service-ref="myUserDetailsService"></authentication-provider>
</authentication-manager>
I'm assuming you are using Tomcat
, which uses a Manager component to persist sessions between application life-cycles. You can change all those settings in the Manager component configuration.
I think it also depends on the kind of changes you do. Eclipse's plugin for Tomcat server will decide if it should flush the serialized HttpSession
s or not.
I am guessing you are using Tomcat,
From the Docs SaveOnRestart property
Should all sessions be persisted and reloaded when Tomcat is shut down and restarted (or when this application is reloaded)? By default, this attribute is set to true.
You can control this by changing the property to false in your context.xml
<Manager pathname="">
<saveOnRestart>false</saveOnRestart>
</Manager>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With