Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring Session & Spring Security - session timeout handling not working

When attempting to add spring-session to an existing Spring MVC project with spring-security, I get the following behavior (EDIT: with tomcat's session-timeout set to 1 minute for testing):

  • With the springSessionRepositoryFilter filter in web.xml commented-out, I am correctly booted to the login screen after a minute of inactivity
  • With the springSessionRepositoryFilter filter in web.xml active, I can continue to use the app at least 5 minutes after the last activity

Besides that, everything seems to work as expected - the session is persisted in redis & across webapp restarts, and logging out manually correctly invalidates the session.

Some snippets of my configuration - here is the invalid session handler configuration for spring-security, that will cause expired sessions to be redirected to a login page:

...
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository">
        <beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
    </beans:constructor-arg>
    <beans:property name="invalidSessionStrategy">
        <beans:bean class="my.CustomInvalidSessionStrategy"/>
    </beans:property>
</beans:bean>
...
<http>
    ...
    <custom-filter position="SESSION_MANAGEMENT_FILTER" ref="sessionManagementFilter"/>
    ...
    <logout delete-cookies="true" invalidate-session="true" logout-url="/signout.html" success-handler-ref="logoutSuccessHandler"/>
</http>

The web.xml 's filter chain looks like:

<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

And (one of) the spring context files loaded contains:

<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>

<bean class="org.springframework.security.web.session.HttpSessionEventPublisher"/>

<bean class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory"/>

Hopefully I'm just missing something really obvious!

Edit: The versions I used for the attempt was spring-security-4.0.4.RELEASE and spring-session-1.1.1.RELEASE

like image 263
mrusinak Avatar asked May 04 '16 14:05

mrusinak


People also ask

What is a spring session?

Spring Session is a powerful tool for managing HTTP sessions. With our session storage simplified to a configuration class and a few Maven dependencies, we can now wire up multiple applications to the same Redis instance and share authentication information. As always all the examples are available over on Github.

When session is created in spring?

In Spring Security 3, the user is first authenticated by the AuthenticationManager and once they are successfully authenticated, a session is created and the check is made whether they are allowed to have another session open.

How do I create a new spring session?

To Create new session after logout check session. isNew() condition if session is old then call invalidate() . Redirect logout method to /login mapping. It checks session and it will creates new session when you call invalidate() method.

What is default session in spring?

By default, Spring Security will create a session when it needs one — this is “ifRequired“. For a more stateless application, the “never” option will ensure that Spring Security itself won't create any session. But if the application creates one, Spring Security will make use of it.


1 Answers

When using Redis session timeout is configured like this:

<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration">
    <property name="maxInactiveIntervalInSeconds" value="10"></property>
</bean>
like image 60
damnputer Avatar answered Oct 28 '22 04:10

damnputer