Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Spring Session & Spring Security - session timeout handling not working

Tags:

spring-security

spring-session

When attempting to add spring-session to an existing Spring MVC project with spring-security, I get the following behavior (EDIT: with tomcat's session-timeout set to 1 minute for testing):

  • With the springSessionRepositoryFilter filter in web.xml commented-out, I am correctly booted to the login screen after a minute of inactivity
  • With the springSessionRepositoryFilter filter in web.xml active, I can continue to use the app at least 5 minutes after the last activity

Besides that, everything seems to work as expected - the session is persisted in redis & across webapp restarts, and logging out manually correctly invalidates the session.

Some snippets of my configuration - here is the invalid session handler configuration for spring-security, that will cause expired sessions to be redirected to a login page:

...
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository">
        <beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
    </beans:constructor-arg>
    <beans:property name="invalidSessionStrategy">
        <beans:bean class="my.CustomInvalidSessionStrategy"/>
    </beans:property>
</beans:bean>
...
<http>
    ...
    <custom-filter position="SESSION_MANAGEMENT_FILTER" ref="sessionManagementFilter"/>
    ...
    <logout delete-cookies="true" invalidate-session="true" logout-url="/signout.html" success-handler-ref="logoutSuccessHandler"/>
</http>

The web.xml 's filter chain looks like:

<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

And (one of) the spring context files loaded contains:

<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>

<bean class="org.springframework.security.web.session.HttpSessionEventPublisher"/>

<bean class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory"/>

Hopefully I'm just missing something really obvious!

Edit: The versions I used for the attempt was spring-security-4.0.4.RELEASE and spring-session-1.1.1.RELEASE

like image 263
mrusinak Avatar asked May 04 '16 14:05

mrusinak

People also ask

What is a spring session?

Spring Session is a powerful tool for managing HTTP sessions. With our session storage simplified to a configuration class and a few Maven dependencies, we can now wire up multiple applications to the same Redis instance and share authentication information. As always all the examples are available over on Github.

When session is created in spring?

In Spring Security 3, the user is first authenticated by the AuthenticationManager and once they are successfully authenticated, a session is created and the check is made whether they are allowed to have another session open.

How do I create a new spring session?

To Create new session after logout check session. isNew() condition if session is old then call invalidate() . Redirect logout method to /login mapping. It checks session and it will creates new session when you call invalidate() method.

What is default session in spring?

By default, Spring Security will create a session when it needs one — this is “ifRequired“. For a more stateless application, the “never” option will ensure that Spring Security itself won't create any session. But if the application creates one, Spring Security will make use of it.

1 Answers

When using Redis session timeout is configured like this:

<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration">
    <property name="maxInactiveIntervalInSeconds" value="10"></property>
</bean>
like image 60
damnputer Avatar answered Oct 28 '22 04:10

damnputer
Sign in to Comment

Related questions

Is there any Spring-Security-based production-ready security package for Java?
How to propagate spring security login to EJBs?
Spring 3 Security and Relative Redirect URLs
Preauthentication with LTPA token
Spring security + i18n = how to make it work together?
Spring Social - 404 error for facebook login
Spring Security 3.1 - Automatically redirect to login page when session-timeout occurs
Custom authenticationFilter Spring Security 3.2
Spring Security 3.2 Token Authentication
Spring security custom authentication filter without web.xml
how to disable tomcat 7 console debug information
Secured WebSocket upgrade over STOMP via SockJS fails with Invalid Upgrade header null
Spring OAuth2 not redirecting back to client on form login
Spring OAuth + JWT -- /oauth/token
Spring security OAuth2 authentication and form login in one app
Spring Security java.lang.IllegalArgumentException: Non-hex character in input
spring security oauth2 (2.0.8) getting Invalid access token used InMemory tokenstore
Is There an Easier Way to Load Spring OAuth Client Configuration
Why class SecurityEvaluationContextExtension can not be found in Spring Boot Project?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!