Announcement Announcement Module
Collapse
No announcement yet.
Redirect to invalid-session-url only when user accesses secured resource Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Redirect to invalid-session-url only when user accesses secured resource

    Hi

    This is a fragment of my configuration:

    Code:
    <http auto-config="true" entry-point-ref="authenticationEntryPoint">
           <form-login authentication-success-handler-ref="redirectingAuthenticationSuccessHandler" authentication-failure-handler-ref="defaultAuthFailureHandler" />
    	<logout logout-url="/logout" logout-success-url="/afterlogout" invalidate-session="true" />
            <intercept-url pattern="/css/**" filters="none" />
    	<intercept-url pattern="/img/**" filters="none" />
    	<intercept-url pattern="/js/**" filters="none" />
    	<intercept-url pattern="/login" requires-channel="https" />
    	<intercept-url pattern="/afterlogout" requires-channel="http" />
    	<intercept-url pattern="/admin/**" access="ROLE_OPERATOR" requires-channel="https" />
    	<intercept-url pattern="/invitation/**" requires-channel="https" />
    	<intercept-url pattern="/survey/**" access="ROLE_AUTHENTICATED" requires-channel="https" />
    	<intercept-url pattern="/changepassword" access="ROLE_AUTHENTICATED" requires-channel="https" />
    	<intercept-url pattern="/evaluate/**" access="ROLE_END_USER" />
    	<intercept-url pattern="/rfi/enduser/**" access="ROLE_END_USER" requires-channel="https" />
    	<intercept-url pattern="/rfi/vendor/**" access="ROLE_VENDOR_USER" requires-channel="https" />
    	<intercept-url pattern="/profile/**" access="ROLE_VENDOR_USER, ROLE_END_USER" requires-channel="https" />
    	<intercept-url pattern="/enduser/**" access="ROLE_AUTHENTICATED" requires-channel="https" />
    	<intercept-url pattern="/addoreditopinion/**" access="ROLE_END_USER" />
    	<intercept-url pattern="/forgottenpassword/**" access="ROLE_ANONYMOUS" />
    	<session-management invalid-session-url="/login?sessionExpired=true">
    		<concurrency-control max-sessions="1" expired-url="/login?concurrentLogin=true"/>
    	</session-management>
    </http>
    As you see some urls in my app are allowed to certain roles. On the other hand some urls just don't require any authentication. When a user logs in and after some time his session expires due to any reason (concurrent login, timeout or anything), he is always redirected to an invalid-session-url and it doesn't matter if he's accessing secured or not secured resource.

    I would like to change that behaviour in a way that a user is redirected to invalid-session-url if and only if he wants to access secured resource. in other words application should allow him to access not secured resource when a session is expired without redirecting to invalid-session-url. Does anyone kown how to implement that with Spring Security 3.0.5?

    Best regards

  • #2
    There's no built-in way of doing it (and detecting session timeouts is rather limited at the best of times, as a genuine logout can also be mistaked for a session timeout).

    If you want to do the check only when access is denied then you'd probably need to build the behaviour into a customized AuthenticationEntryPoint.

    Comment


    • #3
      I thought of writing my own implementation of

      Code:
      org.springframework.security.web.session.SessionManagementFilter
      This is one of spring security filters, which seems to be responsible for checking if session is invalid and redirecting to invalid-session-url no matter what. I localized an if which is responsible of that:

      Code:
      // No security context or authentication present. Check for a session timeout
                      if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
                          logger.debug("Requested session ID" + request.getRequestedSessionId() + " is invalid.");
      
                          if (invalidSessionUrl != null) {
                              logger.debug("Starting new session (if required) and redirecting to '" + invalidSessionUrl + "'");
                              request.getSession();
                              redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
      
                              return;
                          }
                      }
      I could write an extra check if request asks for secured resource and redirect to invalid-session-url only if it does. Unfortunatelly I don't know how to do that at the moment, so I've just removed invalid-session-url from my configuration

      Comment


      • #4
        Redirect to invalid-session-url only when user accesses secured resource

        Any developments about this issue? I am having the same problems. Thanks in advance.

        Comment


        • #5
          I've customized the sessionmanagement filter so that the user is redirected to the invalidSessionUrl just if the requested page is secured (ie it is allowed just for authenticated users):

          if (invalidSessionUrl != null) {
          String pagSolicitada = UtilSpringSecurity.extraerPagina(request);
          if ( UtilSpringSecurity.paginaAutenticada(pagSolicitada ) ) {
          request.getSession();
          redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
          return;
          }
          //the requested page doesn't require the user to be authenticated
          //so i just skip this filter and continue with the filter chain
          chain.doFilter(request, response);
          return;
          }

          The method "UtilSpringSecurity.extraerPagina(request)" returns the requested page this way:
          public static String extraerPagina (HttpServletRequest request) {
          String uri = request.getRequestURI().toLowerCase();
          String cPath = request.getContextPath().toLowerCase();
          // uri = cPath + pagina
          int longCPath = cPath.length();
          String pagina = uri.substring(longCPath);
          return pagina;
          }

          And the method "UtilSpringSecurity.paginaAutenticada(pagSolicitad a)" returns true if the the param is a page that requires the user to be authenticated (I do the check with IFs, considering the intercept-url elements of my xml security config file which have the attribute access="isAuthenticated()", because I don't know how to check it automatically). In my case:

          public static boolean paginaAutenticada (String pagina) {

          if (pagina.startsWith("/faces/paginas/administracion/") ||
          pagina.startsWith("/faces/paginas/barco/") ) {

          return true;
          }

          return false;
          }

          This solution works, but it has just one problem:

          If I leave the browser staying idle at a page until the session timeout expires, and then I request the same page, then I get a "viewExpiredException" (I use JSF). This is because the filter worked well, it bypassed the redirection to the invalidSessionUrl, but as the session expired anyway, the I get that exception trying to re-render the same page.

          Anyone knows how to solve this?

          I hope my solution is useful for anybody.

          Thank you in advance.

          Comment

          Working...
          X