user1488648
Reputation: 11
Removing Session in Spring Security
I want to put security for all the URL's except the login screen URL in spring security, but I don't want to use session management.
Please help me out in this issue. my security context file is below
<security:http pattern="/" security="none" />
<security:http auto-config="false" use-expressions="true" create-session="stateless" access-denied-page="/" entry-point-ref="authenticationEntryPoint" >
<security:intercept-url pattern="/**" access="isAuthenticated()" />
<security:intercept-url pattern="/logout" access="permitAll" />
<security:intercept-url pattern="/logout.jsp" access="permitAll" />
<security:logout logout-url="/j_spring_security_logout" />
<security:custom-filter ref="authenticationFilter" position="FORM_LOGIN_FILTER"/>
</security:http>
Upvotes: 0
Views: 417
Answers (1)
zagyi
Reputation: 17518
The ordering of your intercept-url tags is wrong. Quote from the reference docs:
You can use multiple elements to define different access requirements for different sets of URLs, but they will be evaluated in the order listed and the first match will be used. So you must put the most specific matches at the top.
Move the intercept-url with the universal match pattern to the bottom of the list.
Upvotes: 2
Related Questions
- Removing user login credentials from session when user logout in spring-security
- Spring MVC: How to remove session attribute?
- Spring security delete user - session still active
- logout specific session Id in spring security
- Invalidate session spring security
- Spring Boot - How to kill current Spring Security session?
- Invalidate spring security session
- How to invalidate session on logout in Spring
- Clear Spring Session on Login?
- Is it possible to invalidate a spring security session?