3

I've got Spring Boot based server side application with Frontend build in Angular. After user login, on frontend side I have scheduled method which sends request to backend to refresh the data in table. It's sent every 10 seconds. I do not want those request to constantly extend session, but I still wish to keep this request available for only authorized users. I've tried to it this way:

@Component
@Order(Integer.MIN_VALUE)
class ExcludeSessionRepositoryFilter : OncePerRequestFilter() {

private val filteredURLs = listOf(
    "/xxx",
    "/yyy"
)

override fun doFilterInternal(
    request: HttpServletRequest,
    response: HttpServletResponse,
    filterChain: FilterChain
) {
    if (filteredURLs.contains(request.requestURI)) {
        request.setAttribute("org.springframework.session.web.http.SessionRepositoryFilter.FILTERED", true)
    }
    filterChain.doFilter(request, response)
    }
}

It's comming to the if, but it didn't work at all. Next I've tried to change Security Config based on one of the asnwers here like this:

 http.csrf()
            .ignoringAntMatchers(""/login","/xxx","/yyy")

But it didn't work either. For tests, I have set the session timeout in properties like this:

server:
  servlet:
    session:
      timeout: 1m

But even after couple of minutes I still have the session because of those request comming in from frontend after each 10 seconds.

Versions:

 org.springframework.boot:2.4.0
 org.springframework.boot:spring-boot-starter-security:2.+
Reage
  • 83
  • 4
  • 2
    afaik you cannot. Also session timeout is not something that Spring Security arranges but the Servlet container does that (in this case probably tomcat). So unless you dig into tomcat and modify things there there is nothing Spring nor Spring Security can do. It might even violate the servlet spec in doing so (but I'm not sure about that). – M. Deinum Mar 24 '21 at 12:24
  • Is there any easy way to do it from tomcat session management level etc. via configuration component ? – Reage Mar 24 '21 at 12:42
  • No there isn't. Simply because all http requests lead to a session time refresh. – M. Deinum Mar 24 '21 at 14:21
  • polling a backend server from a webclient for data is not something you should do. If you wish this type of functionality you should instead look into using websockets. – Toerktumlare Mar 24 '21 at 22:39
  • but this endpoint is also used in some modules triggered by user, but when the user is in other modules it's triggered automaticly via scheduled method so I also need to have opportunity to get it via pure request ;/ Ok, I see that it needs to be updated in some way, thank all off you for help :) – Reage Mar 25 '21 at 08:35

0 Answers0