Announcement Announcement Module
Collapse
No announcement yet.
Spring Security Principal Incorrectly Persisted Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security Principal Incorrectly Persisted

    Hello,

    My web application is using Spring Security and everything seems fine except for one thing. Once I authenticate a user in one browser they are always authenticated. If I close all instances of a certain broswer (for example Chrom) and open a new instance, I'm not prompted for authentication and proceed directly to the secured resouce. If I bounce my local dev server then I'm prompted as expected. I need a sticky session but not that sticky. Any ideas why Spring doesn't prompt me again after closing all browser instances? I'm using spring-security*3.1.0.M1 and spring-core-3.0.5.RELEASE. Thanks for the assistance!

    security context file(removed the xml and schema definitions):
    Code:
    <global-method-security secured-annotations="enabled">
    </global-method-security>
    <http security="none" pattern="/services/rest-api/1.0/**" />
    <http security="none" pattern="/preregistered/**" />
    <http access-denied-page="/auth/denied.html">
        <intercept-url
            pattern="/**/*.xhtml"
            access="ROLE_NONE_GETS_ACCESS" />
        <intercept-url
            pattern="/auth/**"
            access="ROLE_ANONYMOUS,ROLE_USER" />
        <intercept-url
            pattern="/auth/*"
            access="ROLE_ANONYMOUS" />
         <intercept-url
            pattern="/**"
            access="ROLE_USER" />
        <form-login
            login-processing-url="/j_spring_security_check.html"
            login-page="/auth/login.html"
            default-target-url="/registered/home.html"
            authentication-failure-url="/auth/login.html?_dc=45" />
        <logout logout-url="/auth/logout.html"
                logout-success-url="/" />
        <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/>
        <remember-me user-service-ref="userManager" key="valid key here"/>
    </http>
    <!-- Configure the authentication provider -->
    <authentication-manager>
        <authentication-provider user-service-ref="userManager">
                <password-encoder ref="passwordEncoder" />
        </authentication-provider>
    </authentication-manager>

  • #2
    Is the user utilizing the remember me feature to log in? If so, that is exactly what the feature is supposed to do

    If not, check the cookies set for your site when the browser opens to see if the JSESSIONID is still assigned. How the HTTP session lifetime is managed will depend mostly on your application server settings, so have a look there as well.

    Comment

    Working...
    X