CODEWITHSUNDEEP
spring-securitysession-timeout
JayL
JayL

Reputation: 2899

Spring Security session-management setting and IllegalStateException

I'm trying to add <session-management> in my Spring Security namespace configuration so that I can provide a different message than the login page when the session times out. As soon as I add it to my configuration it starts throwing "IllegalStateException: Cannot create a session after the response has been committed" when I access the app.

I'm using Spring Security 3 and Tomcat 6. Here's my configuration:

<http>
    <intercept-url pattern="/go.htm" access="ROLE_RESPONDENT" />
    <intercept-url pattern="/complete.htm" access="ROLE_RESPONDENT" />                          
    <intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <form-login login-processing-url="/j_spring_security_check" 
                login-page="/login.htm" 
                authentication-failure-url="/login.htm?error=true" 
                default-target-url="/go.htm"
    />      
    <anonymous/>
    <logout logout-success-url="/logout_message.htm"/>  
    <session-management invalid-session-url="/login.htm" />     

</http>

Everything works great until I add in the <session-management> line. What am I missing?

Upvotes: 2

Views: 18421

Answers (3)

Shaun the Sheep
Shaun the Sheep

Reputation: 22752

You are probably hitting this bug:

https://jira.springsource.org/browse/SEC-1346

Try using the up-to-date version (3.0.2.RELEASE).

Upvotes: 1

Alessandro
Alessandro

Reputation: 611

Maybe including the auto-config="true" attribute in the <http> tag helps, you might be missing some required filters or settings.

Upvotes: 0

wuntee
wuntee

Reputation: 12480

This works for me

<session-management invalid-session-url="/taac/login">
    <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
</session-management>

Upvotes: 0

Related Questions