Announcement Announcement Module
Collapse
No announcement yet.
How to avoid session being invalidated when <intercept-url filters=none>? Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to avoid session being invalidated when <intercept-url filters=none>?

    Can someone tell me why a user's session is invalidated when they access a page in my "/**" pattern which has filters="none"?

    For example:
    1) a user will log into the site and access http:/mysite/app/Dashboard.action (secured)
    2) the same user will click a link on the Dashbaord page that loads a new tab (same session) at http:/mysite/help.html (unsecured)
    3) a user will then go back to the Dashboard tab, click a "secured" link and Spring Sec asks them for their login information again.

    Why is this? And how can I avoid having the user to login again? Any help is appreciated, my http configuration is below...

    Code:
    	<http use-expressions="true">
    	
    		<intercept-url pattern="/sysAdmin/**" access="hasRole('ROLE_ADMIN')"/>
    		<intercept-url pattern="/app/**" access="isAuthenticated()"/>	
    		<intercept-url pattern="/**" access="" filters="none"/>
    		
    		<form-login always-use-default-target="true" 
    			default-target-url="/app/Dashboard_show.action" 
    			login-page="/login.jsp"
    			authentication-failure-url="/login.jsp?error=1"/>
    			
    		<logout logout-success-url="/login.jsp"/>
    		     
    		<session-management invalid-session-url="/expiredSession.jsp?expiredId=2">
    			<concurrency-control max-sessions="2"
    				error-if-maximum-exceeded="false"
    				expired-url="/expiredSession.jsp?expiredId=3"/>		
    		</session-management>
    	
    		<!-- Override existing RememberMeServices -->
    		<remember-me key="123456abcde" services-ref="myTokenBasedRememberMeServices"/>
    
    	</http>

  • #2
    After further review, it appears I was switching the user from https:// to an http:// session - which invalidated the session. I think this is actually a "feature" ??

    Comment


    • #3
      Correct, if the session was created as a secure session (i.e. session wasn't created until the user hit the SSL URL), it will be discarded (typically) when the user switches to an insecure URL on the same site. This is to prevent secure session data from leaking over to an insecure security domain. Please refer to section 2.3 of the FAQ. Hope that helps!

      Comment

      Working...
      X