Algorithm
Reputation: 149
Spring Security Redirecting to invalid-session-url on a fresh application launch
I have just configured session management into my web app, but Spring keeps redirecting to the invalid-session-url specified in the session management. When the contextPath is been launched in the browser before me attempting login and session expiring.
This is my configuration below:
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd">
<http auto-config="true" use-expressions="true">
<intercept-url pattern="/login*" access="permitAll" />
<intercept-url pattern="/styles/calvary.css" access="permitAll" />
<intercept-url pattern="/styles/vendor/foundation.min.css" access="permitAll" />
<intercept-url pattern="/styles/vendor/normalize.css" access="permitAll" />
<intercept-url pattern="/styles/fonts/gothic.eot" access="permitAll" />
<intercept-url pattern="/styles/fonts/gothic.woff" access="permitAll" />
<intercept-url pattern="/styles/fonts/gothic.ttf" access="permitAll" />
<intercept-url pattern="/scripts/vendor/vendor/modernizr.js" access="permitAll" />
<intercept-url pattern="/scripts/vendor/vendor/jquery.js" access="permitAll" />
<intercept-url pattern="/scripts/vendor/foundation/foundation.min.js" access="permitAll" />
<intercept-url pattern="/scripts/vendor/foundation/foundation.abide.js" access="permitAll" />
<intercept-url pattern="/scripts/calvary.js" access="permitAll" />
<intercept-url pattern="/images/lg.png" access="permitAll" />
<intercept-url pattern="/images/red_indicator.gif" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<form-login login-page="/login" default-target-url="/index" authentication-failure-url="/login?error" username-parameter="username" password-parameter="password" />
<logout logout-success-url="/login?logout" invalidate-session="false" delete-cookies="JSESSIONID"/>
<csrf/>
<session-management session-authentication-error-url="/login?expire=3" invalid-session-url="/login?expire=3" session-fixation-protection="migrateSession">
<concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login?expire"/>
</session-management>
</http>
<authentication-manager>
<authentication-provider ref="calvaryLogger"/>
</authentication-manager>
<beans:bean name="calvaryLogger" class="com.apr.authenticator.CalvaryLogger" />
</beans:beans>
I will really appreciate any assistance. Thanks
EDIT
Below is my web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.1" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd">
<servlet>
<servlet-name>dispatcher</servlet-name>
<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>
<load-on-startup>2</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>dispatcher</servlet-name>
<url-pattern>/</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>1</session-timeout>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<welcome-file-list>
<welcome-file>redirect.jsp</welcome-file>
</welcome-file-list>
<context-param>
<param-name>contextConfigLocation</param-name>
<param-value>/WEB-INF/applicationContext.xml
/WEB-INF/spring-security.xml
</param-value>
</context-param>
<listener>
<listener-class>org.springframework.web.context.ContextLoaderListener</listener-class>
</listener>
<listener>
<listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class>
</listener>
<filter>
<filter-name>springSecurityFilterChain</filter-name>
<filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
<filter-name>springSecurityFilterChain</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<error-page>
<error-code>404</error-code>
<location>/WEB-INF/viewList/404.html</location>
</error-page>
</web-app>
Upvotes: 5
Views: 6681
Answers (2)
jmcg
Reputation: 1567
I know this was asked quite some time ago, but this happened to me recently.
Once the user logs out and logs back in, Spring security seems to see my session as invalid and always directs me to whatever invalid-session-url is set to.
what I just did was remove this setting from my xml and the issue went away.
So instead of:
<session-management session-authentication-error-url="/login?expire=3" invalid-session-url="/login?expire=3" session-fixation-protection="migrateSession">
<concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login?expire"/>
</session-management>
Try:
<session-management session-authentication-error-url="/login?expire=3" session-fixation-protection="migrateSession">
<concurrency-control error-if-maximum-exceeded="true" max-sessions="1" expired-url="/login?expire"/>
</session-management>
Upvotes: 2
sitakant
Reputation: 1878
Seems ! There is an error while creating the session. Please map your configuration with the Spring-Security App.
Upvotes: 0
Related Questions
- After login, Spring Security redirects to login page again
- Spring Session - Security Context not found in session after redirect to target url
- Spring security invalid session redirect
- spring security does not redirect after successful login
- Trouble with login using Spring-Security and redirecting to required URL
- Spring Security always redirecting to login page
- Spring Security Login Redirects to /j_spring_security_check Without Authenticating
- navigating to spring security login page redirects to invalid-session-url
- incorrect redirection of spring security after login
- Why do I get an invalid-session redirect after a Spring Security logout?