Reputation: 333
Spring Boot Security Logout Does Not Invalidate Session
My enhanced Pet Clinic application requires security.
Currently the logout functionality does not seem to work. I have a GET version (simple link) and a POST version (hidden form submitted by a link).
After login, whichever method I use to log out, once I try to log in again, the new login is not allowed.
I believe this is linked to this section:
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired")
but I thought that this section:
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.permitAll()
would invalidate my HttpSession so that the next login would be allowed, but that is not happening.
When I look at the logs, these are the lines that are different when I log in the 2nd time:
s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy@2cc9f3de
w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.web.authentication.session.SessionAuthenticationException: Maximum sessions of 1 for this principal exceeded
w.a.UsernamePasswordAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication
w.a.UsernamePasswordAuthenticationFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@16c670c3
.a.SimpleUrlAuthenticationFailureHandler : Redirecting to /login?error
Any advice would be welcome.
My application can be found at https://github.com/arnaldop/enhanced-pet-clinic.
Here's code from my WebSecurityConfigurerAdapter subclass:
private static final String[] UNSECURED_RESOURCE_LIST =
new String[] {"/", "/resources/**", "/assets/**", "/css/**", "/webjars/**",
"/images/**", "/dandelion-assets/**", "/unauthorized", "/error*"};
@Override
public void configure(WebSecurity web) throws Exception {
web
.ignoring()
.antMatchers(UNSECURED_RESOURCE_LIST);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
//@formatter:off
http
.authorizeRequests()
.antMatchers(UNSECURED_RESOURCE_LIST)
.permitAll()
.antMatchers("/owners/**", "/vets/**", "/vets*").hasRole("USER")
.antMatchers("/manage/**").hasRole("ADMIN")
.anyRequest()
.permitAll()
.and()
.formLogin()
.loginPage("/login")
.failureUrl("/login?error")
.permitAll()
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/")
.permitAll()
.and()
.requiresChannel()
.antMatchers("/login", "/owners/**", "/vets/**", "/vets*", "/manage/**")
.requiresSecure()
.and()
.exceptionHandling()
.accessDeniedPage("/router?q=unauthorized")
.and()
.sessionManagement()
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/login?expired")
;
//@formatter:on
}
Upvotes: 1
Views: 7677
Answers (1)
Reputation: 1012
I had also the same problem on spring boot which I fixed it by implementing HttpSessionEventPublisher
// Register HttpSessionEventPublisher
@Bean
public static ServletListenerRegistrationBean httpSessionEventPublisher() {
return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
}
Upvotes: 4
Related Questions
- Spring Security logout does not work - does not clear security context and authenticated user still exists
- Spring Security deletes session form the database when user logs out
- Spring Security Logout session is not invalidated
- Call to j_spring_security_logout not working
- Issue with Spring security's logout
- Spring Security 3 Logout not working
- setting logout invalidate-session to false
- Spring Security: Not able to logout/invalidate session
- Spring Security session invalidation via logout
- Spring-Security with /j_spring_security_logout possibly not logging out fully