I would like to configure spring MVC application using Spring security the following way.
- Only one concurrent login allowed.
- When HTTP session expires the user will be redirected to /security/sessionTimeout.html
- when user logs in on success he will be redirected to "/" folder.
- When users logs out, he will be redirected to "/" as well.
I configured it the following way:
<security:http>
<security:form-login login-page="/security/login.html" login-processing-url="/login" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/"/>
<security:session-management invalid-session-url="/security/sessionTimeout.html">
<security:concurrency-control max-sessions="1" />
</security:session-management>
<security:logout logout-url="/logout" logout-success-url="/"/>
</security:http>
and I have the following issues:
- I'm able to login with the same account on 2 different browsers (no concurrency control is working)
- when I click on log out I got redirected to "/security/sessionTimeout.html" instead of "/".
I've followed Spring security reference guide. What am I doing wrong?
Updated: This is how my web.xml looks like.
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>WEB-INF/springSecurity-servlet.xml</param-value>
</context-param>
<display-name>SpringSecurity</display-name>
<servlet>
<servlet-name>springSecurity</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>springSecurity</servlet-name>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>springSecurity</servlet-name>
<url-pattern>*.do</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>springSecurity</servlet-name>
<url-pattern>/index.html</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
Update 2: just run log4j in debug mode and this is what I got when clicking on logout:
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 1 of 11 in additional filter chain; firing Filter: 'ConcurrentSessionFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:130) - No HttpSession currently exists
DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: null. A new one will be created.
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
DEBUG [http-8080-2] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter'
DEBUG [http-8080-2] (SessionManagementFilter.java:87) - Requested session IDD8429BBAAA9561A97E1D2350ED63BC35 is invalid.
DEBUG [http-8080-2] (SessionManagementFilter.java:90) - Starting new session (if required) and redirecting to '/security/sessionTimeout.html'
it feels like I have session managment filter applied on /index.html and then no session exists. how can I solve it?
BalusC
1.1m377 gold badges3.7k silver badges3.6k bronze badges
asked Jul 18, 2011 at 20:05
danny.lesnik
18.6k31 gold badges142 silver badges206 bronze badges
1 Answer 1
From the Spring Security documentation:
To use concurrent session support, you'll need to add the following to web.xml:
<listener>
<listener-class>
org.springframework.security.web.session.HttpSessionEventPublisher
</listener-class>
</listener>
Did you add this?
answered Jul 18, 2011 at 20:15
matt b
140k66 gold badges287 silver badges352 bronze badges
Sign up to request clarification or add additional context in comments.
1 Comment
danny.lesnik
It looks like I have it, but I posted my entire web.xml configuration in update.
Explore related questions
See similar questions with these tags.
default
/to be accessed by any user.<servlet-mapping>just to include*and see if the behavior is correct?