Announcement Announcement Module
Collapse
No announcement yet.
redirect to form login when expire session Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • redirect to form login when expire session

    Hi,

    I have a mvc application with Spring Security and ExtJs. If the user is not logged the Spring Security automatically redirect to form login, but if the user access the application after expire session the redirect is not correct. I see the redirect in log and browser debugger but it is not complete.


    grateful,

    Paulo Cordeiro

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd">
    
    	<!-- The definition of the Root Spring Container shared by all Servlets 
    		and Filters -->
    	<context-param>
    		<param-name>contextConfigLocation</param-name>
    		<param-value>
    	        classpath:applicationContext.xml
    	        /WEB-INF/application-security.xml
            </param-value>
    	</context-param>
    
    	<filter>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
    	</filter>
    
    	<filter-mapping>
    		<filter-name>springSecurityFilterChain</filter-name>
    		<url-pattern>/*</url-pattern>
    	</filter-mapping>
    	
    	<!-- Creates the Spring Container shared by all Servlets and Filters -->
    	<listener>
    		<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
    	</listener>
    
    	<listener>
    		<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
    	</listener>
    
    	<!-- Processes application requests -->
    	<servlet>
    		<servlet-name>appServlet</servlet-name>
    		<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
    		<load-on-startup>1</load-on-startup>
    	</servlet>
    
    	<servlet-mapping>
    		<servlet-name>appServlet</servlet-name>
    		<url-pattern>/</url-pattern>
    	</servlet-mapping>
    
    	<session-config>
            <!-- Default to 1 minute session timeouts for testings -->
    		<session-timeout>1</session-timeout>
    	</session-config>
    
    </web-app>

    Code:
    <?xml version="1.0" encoding="UTF-8"?>
    <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    	xmlns:sec="http://www.springframework.org/schema/security" xmlns:util="http://www.springframework.org/schema/util"
    	xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd
    		http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
    		http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd">
    
    
    	<sec:debug />
    
    	<sec:global-method-security pre-post-annotations="enabled" />
    
    	<sec:http auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint" >
    		<sec:intercept-url pattern="/login*" access="permitAll" />
    		<sec:intercept-url pattern="/login*" access="permitAll" />
    		<sec:intercept-url pattern="/resources/**" access="permitAll" />
    		<sec:intercept-url pattern="/app/**" access="permitAll" />
    		<sec:intercept-url pattern="/" access="isAuthenticated()" />
    		
    		<sec:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter" />
    		<sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurityInterceptor" />
    		<sec:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
    		
     		<sec:logout logout-url="/logout" delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/login_1"/>
    		<sec:access-denied-handler error-page="/accessDenied"  />
    		<sec:session-management session-authentication-strategy-ref="sas" />
    	</sec:http>
    
    	<bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
    		<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    		<constructor-arg name="expiredUrl" value="/session-expired.htm" />
    	</bean>
    
    	<bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
    
    	<bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
    		<constructor-arg name="sessionRegistry" ref="sessionRegistry" />
    		<property name="maximumSessions" value="1" />
    	</bean>
    
    	<bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    		<constructor-arg value="/login" />
    	</bean>
    
    	<bean id="authenticationProcessingFilter" class="com.mycompany.project.security.DpUsernamePasswordAuthenticationFilter">
    		<property name="authenticationManager" ref="authenticationManager" />
    		<property name="authenticationSuccessHandler">
    			<bean class="com.mycompany.project.security.DpAuthenticationSuccessHandler">
    				<property name="defaultTargetUrl" value="/home" />
    			</bean>
    		</property>
    	</bean>
    
    	<bean id="filterSecurityInterceptor" class="com.mycompany.project.security.FilterSecurityInterceptor">
    		<property name="authenticationManager" ref="authenticationManager" />
     		<property name="accessDecisionManager" ref="affirmativeBased" />
     		<property name="securityMetadataSource" ref="securityMetadataSource" />
    	</bean>
    
    	<bean id="securityMetadataSource" class="com.mycompany.project.security.DpFilterInvocationSecurityMetadataSource">
    		<property name="urlProperties">
    			<util:properties location="/WEB-INF/urls.properties" />
    		</property>
    	</bean>
    
    	<bean id="affirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased">
    		<constructor-arg>
    			<list>
    				<bean class="org.springframework.security.access.vote.RoleVoter" />
    				<bean class="org.springframework.security.access.vote.AuthenticatedVoter" />
    			</list>
    		</constructor-arg>
    	</bean>
    
    	<sec:authentication-manager alias="authenticationManager">
    		<sec:authentication-provider user-service-ref="jdbcUserService">
    			<sec:password-encoder hash="sha-256" />
    		</sec:authentication-provider>
    	</sec:authentication-manager>
    
    	<bean id="jdbcUserService" class="com.mycompany.project.dao.security.DpUserDao">
    		<property name="dataSource" ref="dataSource" />
    		<property name="enableGroups" value="true" />
    		<property name="enableAuthorities" value="false" />
    	</bean>
    	
    
    </beans>
    Last edited by pscor; Feb 3rd, 2012, 07:39 AM.

  • #2
    http://static.springsource.org/sprin...s-session-mgmt

    Comment


    • #3
      thank you arthomps.

      I followed the instructions in documentation and worked for commons requests.
      The problem occurs when happens one AJAX request and the session is expired because the form login is returned through in AJAX.

      Comment


      • #4
        Hi,

        I solved my problem by inserting a control on the client anticipates the server timeout and redirect to the login form.

        Comment

        Working...
        X