0

In spring security 4 ,concurrent session not redirecting to expired url,instead it redirects to failure authentication url. Following is the java configuration code snippet.

/*start of code*/
public class SecurityContextConfig extends WebSecurityConfigurerAdapter {

private static final Logger logger = LoggerFactory.getLogger(SecurityContextConfig.class);

/**
 * @param auth
 * @throws Exception
 */
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
    logger.debug("configureGlobal() : Start : auth={}", auth);
    auth.authenticationProvider(userDetailsAuthenticationProvider());
}

@Override
public void configure(WebSecurity web) throws Exception {
    logger.debug("configure() : Start : web={}", web);
    // This is here to ensure that the static content (JavaScript, CSS, etc)
    // is accessible from the login page without authentication
    web.ignoring().antMatchers("/resources/**");
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    logger.debug("configure() : Start : http={}", http);

    http
        .authorizeRequests()
            .antMatchers("/resources/**")
                .permitAll()
            .antMatchers("/login/**")
                .permitAll()
            .antMatchers("/authenticate/**")
                .permitAll()
            .antMatchers("/ssoLogout")
                .permitAll()
            .antMatchers("/forgotpassword/json")
                .permitAll()
            .antMatchers("/favicon.ico")
                .permitAll()
            .antMatchers("/secure/**")
                .authenticated()
            .and()

            // This is where we configure our login form.
            // login-page: the page that contains the login screen
            // login-processing-url: this is the URL to which the login form
            // should be submitted
            // default-target-url: the URL to which the user will be
            // redirected if they login successfully
            // authentication-failure-url: the URL to which the user will be
            // redirected if they fail login
            // username-parameter: the name of the request parameter which
            // contains the username
            // password-parameter: the name of the request parameter which
            // contains the password
            .formLogin()
                .loginPage("/")
                .loginProcessingUrl("/authenticate")
                .failureUrl("/")
                .successHandler(loginSuccessHandler())
            .and()

            // This is where the logout page and process is configured. The
            // logout-url is the URL to send
            // the user to in order to logout, the logout-success-url is
            // where they are taken if the logout
            // is successful, and the delete-cookies and invalidate-session
            // make sure that we clean up after logout
            .logout()
                .logoutUrl("/logout")
                .logoutSuccessHandler(logoutHandler())
                .deleteCookies("JSESSIONID")
                .invalidateHttpSession(true)
            .and()

            .csrf()
            .and()

            // The session management is used to ensure the user only has
            // one session. This isn't
            // compulsory but can add some extra security to your
            // application.
            .sessionManagement()
                //.invalidSessionUrl("/login")
                .sessionFixation()
                .changeSessionId()
            .maximumSessions(1)
                .expiredUrl("/login?reason=CONCURRENT_SESSION");
            http.exceptionHandling().accessDeniedHandler(accessDeniedHandler());
    logger.debug("configure() : End : http={}", http);

}

/**
 * @return
 */
@Bean(name = "loginSuccessHandler")
public LoginSuccessHandler loginSuccessHandler() {
    logger.debug("loginSuccessHandler() : Start.");
    LoginSuccessHandler loginSuccessHandler = new LoginSuccessHandler();

    logger.debug("loginSuccessHandler() : End : loginSuccessHandler={}", loginSuccessHandler);
    return loginSuccessHandler;}

/**
 * @return
 */
@Bean(name = "logoutHandler")
public LogoutHandler logoutHandler() {
    logger.debug("logoutHandler() : Start.");

    LogoutHandler logoutHandler = new LogoutHandler();

    logger.debug("logoutHandler() : End : logoutHandler={}", logoutHandler);

    return logoutHandler;
}

/**
 * @return
 */
@Bean(name = "authenticationProvider")
public UserDetailsAuthenticationProvider userDetailsAuthenticationProvider() {
    logger.debug("userDetailsAuthenticationProvider() : Start.");

    UserDetailsAuthenticationProvider authenticationProvider = new UserDetailsAuthenticationProvider();

    logger.debug("userDetailsAuthenticationProvider() : End : authenticationProvider={}", authenticationProvider);

    return authenticationProvider;
}

@Bean(name="accessDeniedHandler")
public AccessDeniedHandlerImpl accessDeniedHandler(){

AccessDeniedHandlerImpl accessDeniedHandler=new AccessDeniedHandlerImpl();
accessDeniedHandler.setErrorPage("/login?reason=Access Denied");
    return accessDeniedHandler;

}}

The behavior of expired url is not consistent.Sometimes working but sometimes not working . What can be the issue?

Viral B
  • 3
  • 5

1 Answers1

0

The problem is that when it redirects to the expired URL, your user does not have access to the URL so it sends the user to the log in page (which is the same as the log in failure URL).

You need to ensure you grant access to every user to the expired URL. For example:

http
    .authorizeRequests()
        .antMatchers("/login")
            .permitAll()
        ...
Rob Winch
  • 21,440
  • 2
  • 59
  • 76
  • This is not in the code you provided (NOTE it is "/login" not "/login/**"). If you have this in the code you are using then please update your post. – Rob Winch Aug 11 '15 at 12:56