When attempting to add spring-session to an existing Spring MVC project with spring-security, I get the following behavior (EDIT: with tomcat's session-timeout set to 1 minute for testing):
Besides that, everything seems to work as expected - the session is persisted in redis & across webapp restarts, and logging out manually correctly invalidates the session.
Some snippets of my configuration - here is the invalid session handler configuration for spring-security, that will cause expired sessions to be redirected to a login page:
...
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository">
<beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
</beans:constructor-arg>
<beans:property name="invalidSessionStrategy">
<beans:bean class="my.CustomInvalidSessionStrategy"/>
</beans:property>
</beans:bean>
...
<http>
...
<custom-filter position="SESSION_MANAGEMENT_FILTER" ref="sessionManagementFilter"/>
...
<logout delete-cookies="true" invalidate-session="true" logout-url="/signout.html" success-handler-ref="logoutSuccessHandler"/>
</http>
The web.xml 's filter chain looks like:
<filter>
<filter-name>springSessionRepositoryFilter</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSessionRepositoryFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
And (one of) the spring context files loaded contains:
<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>
<bean class="org.springframework.security.web.session.HttpSessionEventPublisher"/>
<bean class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory"/>
Hopefully I'm just missing something really obvious!
Edit: The versions I used for the attempt was spring-security-4.0.4.RELEASE and spring-session-1.1.1.RELEASE
Spring Session is a powerful tool for managing HTTP sessions. With our session storage simplified to a configuration class and a few Maven dependencies, we can now wire up multiple applications to the same Redis instance and share authentication information. As always all the examples are available over on Github.
In Spring Security 3, the user is first authenticated by the AuthenticationManager and once they are successfully authenticated, a session is created and the check is made whether they are allowed to have another session open.
To Create new session after logout check session. isNew() condition if session is old then call invalidate() . Redirect logout method to /login mapping. It checks session and it will creates new session when you call invalidate() method.
By default, Spring Security will create a session when it needs one — this is “ifRequired“. For a more stateless application, the “never” option will ensure that Spring Security itself won't create any session. But if the application creates one, Spring Security will make use of it.
When using Redis session timeout is configured like this:
<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration">
<property name="maxInactiveIntervalInSeconds" value="10"></property>
</bean>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With