Announcement Announcement Module
No announcement yet.
Preauth Filter and invalid-session-url Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Preauth Filter and invalid-session-url

    We are using Spring Security 3.0.5 with a preauth filter (to integrate with our SSO product). We are trying to get 'invalid-session-url' to work in this scenario. If the Tomcat session expires before the SSO session then we want to take the user to the invalid-session-url. However the preauth filter runs before the SessionManagementFilter and creates the Authentication object in the SecurityContext. The SessionManagementFilter only checks for an invalid session if the Authentication object is null, which it isn't.

    Does anyone have suggestions on getting this setup to work?
    To me it seems that the invalid-session detection should happen prior to checking if the security context exists in SessionManagementFilter(like code below), though I could see this confusing people. Is my best option a custom SessionAuthenticationStrategy that does the detection? Or creating my own 'InvalidSessionFilter' that I stick at the front of my filter chain?

            if (!securityContextRepository.containsContext(request)) {
    		if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
                        logger.debug("Requested session ID" + request.getRequestedSessionId() + " is invalid.");
                        if (invalidSessionUrl != null) {
                            logger.debug("Starting new session (if required) and redirecting to '" + invalidSessionUrl + "'");
                            redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
                Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
                if (authentication != null && !authenticationTrustResolver.isAnonymous(authentication)) {
                 // The user has been authenticated during the current request, so call the session strategy
                    try {
                        sessionStrategy.onAuthentication(authentication, request, response);
                    } catch (SessionAuthenticationException e) {
                        // The session strategy can reject the authentication
                        logger.debug("SessionAuthenticationStrategy rejected the authentication object", e);
                        failureHandler.onAuthenticationFailure(request, response, e);
                    // Eagerly save the security context to make it available for any possible re-entrant
                    // requests which may occur before the current request completes. SEC-1396.
                    securityContextRepository.saveContext(SecurityContextHolder.getContext(), request, response);