3

Just a question about Spring Security and session invalidation.

When a session is invalidated by the ConcurrentSessionControlStrategy the session is removed from the SessionRegistry by calling the removeSessionInformation method however when a session is invalidated by a manual logout the HttpSession is invalidated but there is no call to the SessionRegistry to remove entries from there.

I have added the HttpSessionEventPublisher as a listener which is capturing the HttpSessionDestroyedEvent event but again no call to the SessionRegistry.

I have worked around this by creating my own implementation of the LogoutFilter and adding a handler to manually call removeSessionInformation but I would prefer to be able to use the standard spring annotations if possible. (NB I can't use the success-handler-ref field of the standard logout tag as the session has already been invalidated so I can't access the session ID)

Is there something I'm missing here or is this just something that Spring have missed?

This is using Spring Security 3.1.0 by the way.

Rene
  • 266
  • 3
  • 9
  • I have an app that only allows a single session per user. If a user already has a session the user is prompted on logon whether they want to kill the active session which triggers the concurrent strategy and removes the session from the session registry. The user can also log themselves out which will trigger the logout filter, invalidating their HTTP session but not removing the session from the repository. As I said I have a solution, just curious if there is a way to do this without customising the logoutFilter. – Rene May 02 '12 at 10:03

1 Answers1

2

I had the same problem. In my case solution was to create SessionRegistry as a separate spring bean. ConcurrentSessionControlStrategy holds link to registry so it can remove invalid session from it directly. But SecurityContextLogoutHandler uses session.invalidate() so sessionDestroyed servlet event is provided to HttpSessionEventPublisher by servlet container, but HttpSessionDestroyedEvent published to Spring context by HttpSessionEventPublisher doesn't come to SessionRegistry when it's not a spring bean.

This security config didn't work:

...
SessionRegistry sessionRegistry = new SessionRegistryImpl();
ConcurrentSessionControlStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlStrategy(sessionRegistry);
...

This one works fine:

@Bean
public SessionRegistry sessionRegistry() {
    return new SessionRegistryImpl();
}
...
ConcurrentSessionControlStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlStrategy(sessionRegistry())
...
alexkasko
  • 4,855
  • 1
  • 26
  • 31
  • I can't confirm this works in my case as I've moved onto another project but it's seems like a nice simple solution. – Rene May 13 '13 at 01:56