Menu
I'm using spring security 4.0.1 inside a spring boot 1.2.3 web application ( and also with spring-session 1.0.1, but this is irrelevant for the case ).
I do have a private area, and an all access area ( "/about", "/","/contact",... more than 20 pages ) for which every user can access. ( it's like a web-shop )
Whenever a logged-in user session expires,Spring detects an invalid session and redirects the user to the '.invalidSessionUrl("/session/error/invalid")'
However, i only want to be redirected if the target link in inside the private area, nor the public one.
How can i avoid that ?
Thanks.
This is my (java) config : ( updated after seen post )
http
.authorizeRequests()
.anyRequest()
.permitAll()
.antMatchers("/privado/**")
.authenticated()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.defaultSuccessUrl("/")
.successHandler(new SessionSuccessHandler())
.and()
.logout()
.logoutSuccessUrl("/")
.deleteCookies("JSESSIONID", "SESSION")
.and()
.sessionManagement()
.invalidSessionUrl("/session/error/invalid")
.sessionFixation()
.changeSessionId()
.maximumSessions(1)
.expiredUrl("/session/error/expired")
.and()
.and()
.csrf()
.ignoringAntMatchers("/jolokia/**", "/v1.0/**");
How can i achieve that ?
Thanks a lot.
379
Spring Security Session Timeout In the case of Tomcat we can set the session timeout by configuring the maxInactiveInterval attribute on the manager element in server. xml or using the session-timeout element in web. xml. Note that the first option will affect every app that's deployed to the Tomcat instance.
Spring Session provides integration with Spring Security to support its concurrent session control. This allows limiting the number of active sessions that a single user can have concurrently, but, unlike the default Spring Security support, this also works in a clustered environment.
Another workaround which helped me deal with this issue in similar situation to yours is having an Expired/Invalid session strategy added to your configuration like so:
http
.expiredSessionStrategy(e -> {
handleExpiredInvalidSessions(e.getRequest(), e.getResponse());
})
.sessionRegistry(sessionRegistry())
.and()
.invalidSessionStrategy((request, response) -> {
handleExpiredInvalidSessions(request, response);
})
Then you will implement it to match the public URIs and simply forward the request
private void handleExpiredInvalidSessions(HttpServletRequest request, HttpServletResponse response) {
String requestUri = request.getRequestURI();
if (isPublicURI(requestUri)) {
// This will remove the invalid/expired session from the request
// and prevent the request from failing again
request.getSession(true).invalidate();
RequestDispatcher dispatcher = request.getRequestDispatcher(requestUri);
// Retry the request
dispatcher.forward(request, response);
} else {
// might redirect if you wish
response.setStatus(440);
}
}
You still need to implement isPublicURI() depending on your desired public paths, in my case it was only one path so it was quite easy.
152
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
