Menu
UPDATED QUESTION:
I have a spring-boot 1.1.3.RELEASE project that is using EmbeddedTomcat and Spring-Security. I posted this a while back but that question wasn't answered (My apologies for those that saw that post and it didn't make sense. Hopefully this one is better)
Here is my setup: build.gradle:
project.ext {
springBootVersion = '1.1.3.RELEASE'
}
dependencies {
compile("org.springframework.boot:spring-boot-starter-web:$springBootVersion")
compile("org.springframework.boot:spring-boot-starter-thymeleaf")
compile("org.springframework.boot:spring-boot-starter-security")
compile("org.springframework.boot:spring-boot-starter-data-jpa:$springBootVersion")
compile("org.springframework.security:spring-security-web:4.0.0.M1")
compile("org.springframework.security:spring-security-config:4.0.0.M1")
compile('org.thymeleaf.extras:thymeleaf-extras-springsecurity3:2.1.1.RELEASE')
compile("org.hibernate:hibernate-core:4.3.4.Final")
compile("org.hibernate:hibernate-entitymanager:4.3.4.Final")
compile("org.hibernate:hibernate-validator")
compile("com.h2database:h2:1.3.172")
compile("joda-time:joda-time:2.3")
// compile("org.thymeleaf:thymeleaf-spring4")
compile("org.codehaus.groovy.modules.http-builder:http-builder:0.7.1")
compile('org.codehaus.groovy:groovy-all:2.2.1')
compile('org.jadira.usertype:usertype.jodatime:2.0.1')
compile("org.liquibase:liquibase-core")
testCompile('org.spockframework:spock-core:1.0-groovy-2.0-SNAPSHOT') {
exclude group: 'org.codehaus.groovy', module: 'groovy-all'
}
testCompile('org.spockframework:spock-spring:1.0-groovy-2.0-SNAPSHOT') {
exclude group: 'org.spockframework', module: 'spock-core'
exclude group: 'org.spockframework', module: 'spring-beans'
exclude group: 'org.spockframework', module: 'spring-test'
exclude group: 'org.codehaus.groovy', module: 'groovy-all'
}
testCompile("org.springframework.boot:spring-boot-starter-test:$springBootVersion")
testCompile('org.codehaus.groovy.modules.http-builder:http-builder:0.7+')
testCompile("junit:junit")
}
My Main Class:
@ComponentScan
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class OFAC {
public static void main(String[] args) {
ApplicationContext ofac = SpringApplication.run( OFAC.class, args );
}
}
My primary configuration:
@Configuration
@EnableScheduling
public class OFAConfiguration {
@Autowired
private ConfigurationSettings configurationSettings;
@Bean
@Order(Ordered.HIGHEST_PRECEDENCE)
public EmbeddedServletContainerCustomizer servletContainerCustomizer() {
return new SessionTimeoutEmbeddedServletContainerCustomizer();
}
}
And my embeddedServletContainer recommended by Marten:
public class SessionTimeoutEmbeddedServletContainerCustomizer implements EmbeddedServletContainerCustomizer {
@Autowired
private ConfigurationSettings configurationSettings;
@Override
public void customize(ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
int port = 9000;
TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer;
if ( configurationSettings.getServerPort() != null ) {
port = Integer.parseInt( configurationSettings.getServerPort() );
}
tomcat.setPort( port );
tomcat.addErrorPages( new ErrorPage( HttpStatus.NOT_FOUND, "/notfound.html" ) );
}
}
And my Security Configuration:
@Configuration
@EnableWebMvcSecurity
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {
@Autowired
private DataSource datasource;
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/").permitAll()
.antMatchers("/resources/**").permitAll()
.antMatchers("/css/**").permitAll()
.antMatchers("/libs/**").permitAll();
http
.formLogin().failureUrl("/login?error")
.defaultSuccessUrl("/")
.loginPage("/login")
.permitAll()
.and()
.logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
.permitAll();
http
.sessionManagement()
.maximumSessions(1)
.expiredUrl("/login?expired")
.maxSessionsPreventsLogin(true)
.and()
.sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
.invalidSessionUrl("/");
http
.authorizeRequests().anyRequest().authenticated();
}
and
@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
public class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
// no code actually
}
In my application.properties I have a five minute timeout:
server.session-timeout=300
When I start up, I see the following log messages:
2014-07-08 14:02:18.735 INFO 69422 --- [ main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@340b9eec: startup date [Tue Jul 08 14:02:18 MDT 2014]; root of context hierarchy
2014-07-08 14:02:20.827 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.scheduling.annotation.SchedulingConfiguration' of type [class org.springframework.scheduling.annotation.SchedulingConfiguration$$EnhancerBySpringCGLIB$$75b53f01] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:20.983 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [class org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration$$EnhancerBySpringCGLIB$$6ac51dc6] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.016 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'transactionAttributeSource' of type [class org.springframework.transaction.annotation.AnnotationTransactionAttributeSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.035 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'transactionInterceptor' of type [class org.springframework.transaction.interceptor.TransactionInterceptor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.047 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.config.internalTransactionAdvisor' of type [class org.springframework.transaction.interceptor.BeanFactoryTransactionAttributeSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.097 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration' of type [class org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration$$EnhancerBySpringCGLIB$$38601c80] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.118 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'objectPostProcessor' of type [class org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.120 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@2f8ffdc4' of type [class org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.177 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'authenticationSecurity' of type [class com.edelweissco.ofac.configuration.AuthenticationSecurity$$EnhancerBySpringCGLIB$$85675816] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.199 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'enableGlobalAuthenticationAutowiredConfigurer' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$EnableGlobalAuthenticationAutowiredConfigurer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.218 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$$EnhancerBySpringCGLIB$$2da1b835] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.219 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration' of type [class org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerBySpringCGLIB$$c09573b2] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.250 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'methodSecurityMetadataSource' of type [class org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.258 INFO 69422 --- [ main] trationDelegate$BeanPostProcessorChecker : Bean 'metaDataSourceAdvisor' of type [class org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.934 INFO 69422 --- [ main] .t.TomcatEmbeddedServletContainerFactory : Server initialized with port: 9001
2014-07-08 14:02:22.213 INFO 69422 --- [ main] o.apache.catalina.core.StandardService : Starting service Tomcat
2014-07-08 14:02:22.213 INFO 69422 --- [ main] org.apache.catalina.core.StandardEngine : Starting Servlet Engine: Apache Tomcat/7.0.54
2014-07-08 14:02:22.363 INFO 69422 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2014-07-08 14:02:22.364 INFO 69422 --- [ost-startStop-1] o.s.web.context.ContextLoader : Root WebApplicationContext: initialization completed in 3631 ms
2014-07-08 14:02:24.157 INFO 69422 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@6e3afd5, org.springframework.security.web.context.SecurityContextPersistenceFilter@96219e4, org.springframework.security.web.header.HeaderWriterFilter@12cad708, org.springframework.security.web.csrf.CsrfFilter@78688290, org.springframework.security.web.authentication.logout.LogoutFilter@655490cd, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@331b7b16, org.springframework.security.web.session.ConcurrentSessionFilter@5d42f8e3, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@750bff35, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1dd0a8c0, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4e2ccc7b, org.springframework.security.web.session.SessionManagementFilter@7b54be6d, org.springframework.security.web.access.ExceptionTranslationFilter@5497e581, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@16254dd7]
2014-07-08 14:02:24.242 INFO 69422 --- [ost-startStop-1] o.s.b.c.e.ServletRegistrationBean : Mapping servlet: 'dispatcherServlet' to [/]
2014-07-08 14:02:24.244 INFO 69422 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'springSecurityFilterChain' to: [/*]
2014-07-08 14:02:24.244 INFO 69422 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
..
2014-07-08 14:02:31.240 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:31.357 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/about],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.AboutController.get(org.springframework.ui.Model)
2014-07-08 14:02:31.357 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/admin],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.AdminController.displayUpload(org.springframework.ui.Model)
2014-07-08 14:02:31.358 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/upload],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.CustomerDataController.displayUpload(org.springframework.ui.Model)
2014-07-08 14:02:31.358 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/customerFile],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.CustomerDataController.handleFileUpload(org.springframework.web.multipart.MultipartFile,org.springframework.ui.Model,org.springframework.security.core.Authentication)
2014-07-08 14:02:31.358 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/fileDownloadService],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.util.List<java.lang.String> com.edelweissco.ofac.controller.FileDownloadController.index()
2014-07-08 14:02:31.359 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/search],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.SearchController.getSearchCustomerForm(org.springframework.ui.Model)
2014-07-08 14:02:31.359 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/searchTreasuryData],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.SearchController.searchTreasury(com.edelweissco.ofac.model.SdnSearch,org.springframework.ui.Model)
2014-07-08 14:02:31.360 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/status],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.StatusController.get(org.springframework.ui.Model)
2014-07-08 14:02:31.360 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/refreshData],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.StatusController.searchCustomer(org.springframework.ui.Model)
2014-07-08 14:02:31.366 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)
2014-07-08 14:02:31.366 INFO 69422 --- [ main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],methods=[],params=[],headers=[],consumes=[],produces=[text/html],custom=[]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.boot.autoconfigure.web.BasicErrorController.errorHtml(javax.servlet.http.HttpServletRequest)
2014-07-08 14:02:31.379 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/about] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/status] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/home] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/login] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/search] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/upload] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Root mapping to handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/admin] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.397 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:31.397 INFO 69422 --- [ main] o.s.w.s.handler.SimpleUrlHandlerMapping : Mapped URL path [/webjars/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:32.907 INFO 69422 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Registering beans for JMX exposure on startup
2014-07-08 14:02:33.112 INFO 69422 --- [ main] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat started on port(s): 9001/http
2014-07-08
So i am able to log in. But if leave it inactive, I am still logged in and able to use full authorized functionality. I try to login with the same credentials from two different browsers and the second attempt fails with "invalid username/password" so I think the concurrent session setting is being picked up. There isn't any AJAX call being picked up by FireBug or browser dev tools.
Can anyone see what the error is?
482
@Transactional Timeouts One way we can implement a request timeout on database calls is to take advantage of Spring's @Transactional annotation. It has a timeout property that we can set. The default value for this property is -1, which is equivalent to not having any timeout at all.
If you want to be notified when session has expired or person logged out you can always register listener on SessionDestroyedEvent - documentation. Its also worth to refer to spring docs for that subject. where should I instantiate this class LogoutListener ? Just add this as component in Spring context.
Things change but as of Spring boot 2.1.3 (which has Spring web 5.1.5, optionally adding Spring Session 2.1.4), the property is now
server.servlet.session.timeout=<your-value>><units>
for example the value to be set could be 1800s for 1800 seconds or 30m for 30 minutes
The spring session property spring.session.timeout if not configured falls back to the property above..
51
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
