Menu
I'm using spring/spring-security 3.1 and want to take some action whenever the user logs out (or if the session is timed out). I managed to get the action done for logout but for session timeout, I can't get it working.
In web.xml I only have the ContextLoaderListener specified ( can this be the issue? ) and of course the DelegatingFilterProxy.
I use the auto config like this.
<security:http auto-config="false" use-expressions="false"> <security:intercept-url pattern="/dialog/*" access="ROLE_USERS" /> <security:intercept-url pattern="/boa/*" access="ROLE-USERS" /> <security:intercept-url pattern="/*.html" access="ROLE-USERS" /> <security:form-login login-page="/auth/login.html" default-target-url="/index.html" /> <security:logout logout-url="/logout" invalidate-session="true" delete-cookies="JSESSIONID" success-handler-ref="logoutHandler" /> </security:http> <bean id="logoutHandler" class="com.bla.bla.bla.LogoutHandler"> <property name="logoutUrl" value="/auth/logout.html"/> </bean> The logout handler is called when user clicks logout, which will make some calls to a database.
But how do I handle the session timeout ???
One way to handle it would be to inject the username into the session when user logs in and then use an ordinary httpsessionlistener and do the same thing on session timeout.
Is there a similar way with spring security, so that when spring discovers that the session is to timeout, I can hook in there, access the Authentication and get the UserDetails from there and do the clean up.
646
One way to handle it would be to inject the username into the session when user logs in and then use an ordinary httpsessionlistener and do the same thing on session timeout.
SessionManagementFilter in Spring Security web. session. SessionManagementFilter. In XML configuration it's represented by a tag called <session-management />.
Enum SessionCreationPolicySpecifies the various session creation policies for Spring Security.
stateless – No session will be created or used by Spring Security.
I've got a simpler solution. This works for both logout and session timeout.
@Component public class LogoutListener implements ApplicationListener<SessionDestroyedEvent> { @Override public void onApplicationEvent(SessionDestroyedEvent event) { List<SecurityContext> lstSecurityContext = event.getSecurityContexts(); UserDetails ud; for (SecurityContext securityContext : lstSecurityContext) { ud = (UserDetails) securityContext.getAuthentication().getPrincipal(); // ... } } } web.xml:
<listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener> If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
