Reputation: 3431
How to get session time out message using Spring security
I want to get the session time out message when the session expires.Below is my spring-security.xml
<http auto-config="true" use-expressions="true">
<logout logout-success-url="/" invalidate-session="true" logout-url="/LogOut"/>
<form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/>
<session-management invalid-session-url="/?timeout=true">
<concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" />
</session-management>
</http>
According to my knowledge using above code when the session expired it should redirect to /?timeout=true OR /Timeout?timeout=true. And on logout it should go to /. But in my case on logout also its redirecting to invalid-session-url so I am always getting timeout true for both normal logout and session timeout.
Please help me to differentiate this.
UPDATE
/logout request contains
session = request.getSession();
session.invalidate();
session = null;
Upvotes: 7
Views: 21462
Answers (5)
Reputation: 3377
I had similar issue, like
- If you logged in with some user say zzzz
- You closed the browser
- Again you are trying to login with same user zzzz
- It failed to login with message for maximum session exceeded
The code I have on my spring security file is:
<session-management invalid-session-url="/?timeout=true">
<concurrency-control max-sessions="1" expired-url="/logout?timeout" />
I solved this issue by adding the session timeout entry in web.xml file. I put the session timeout value as 5 min, build the application and deployed. Its working fine.
Might be this will help someone.
Thanks, Atul
Upvotes: 0
Reputation: 43
Please define request mapping for logout-success url in your controller and from there redirect to home page. for example replace your mapping as below
<http auto-config="true" use-expressions="true">
<logout logout-success-url="/logoutSucess" invalidate-session="true" logout-url="/LogOut"/>
<form-login login-page="/Login" username-parameter="Name" password-parameter="Pwd"/>
<session-management invalid-session-url="/?timeout=true">
<concurrency-control max-sessions="1" expired-url="/Timeout?timeout=true" />
</session-management>
define this /logoutSucess in controller with @RequestMapping(value="/logoutSucess" method=RequestMethod.GET)
Upvotes: 0
Reputation: 3431
I Solved it! by writing a filter instead depending on Spring-security.
If any one is interested they can use the below code :-
import java.io.IOException;
import java.io.PrintWriter;
import java.io.StringWriter;
import java.text.MessageFormat;
import javax.servlet.FilterChain;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.log4j.Logger;
import org.springframework.web.filter.OncePerRequestFilter;
public class FilterToGetTimeOut extends OncePerRequestFilter {
@Override
public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws IOException {
try {
if(request.getRequestURI().equals("/") || request.getRequestURI().equals("/Login/")){
if(request.getSession().getAttribute("login") != null && (Boolean)request.getSession().getAttribute("login") == true){
response.sendRedirect(URL); //After login page
}
} else if(request.getSession().getAttribute("login") == null && !request.getRequestURI().equals("/LogOut")){
response.sendRedirect(request.getContextPath()+"/?timeout=true"); //If timeout is true send session timeout error message to JSP
}
filterChain.doFilter(request, response);
} catch (Exception e) {
//Log Exception
}
}
}
Add this filter in web.xml.
<filter>
<filter-name>FilterToGetTimeOut </filter-name>
<filter-class>package.FilterToGetTimeOut </filter-class>
</filter>
<filter-mapping>
<filter-name>FilterToGetTimeOut</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
So now session also invalidates and I can handle the session timeout too.
Upvotes: 6
Reputation: 1556
In your case what happens is when a user logout, the session is first invalidated then session management will get trigger. When session management come in, and found out the session has already gone, then sessionTimeout page will be redirect. So it will be better to set the invalidate-session of logout tag as false.
<logout logout-success-url="/" invalidate-session="false" logout-url="/LogOut"/>
Upvotes: 0
Reputation: 1671
I suggest you to logout using this:
HttpSession session= request.getSession(false);
SecurityContextHolder.clearContext();
if(session != null) {
session.invalidate();
}
for(Cookie cookie : request.getCookies()) {
cookie.setMaxAge(0);
}
Upvotes: 5
Related Questions
- How to get an enum value from a string value in Java
- How can I create an executable/runnable JAR with dependencies using Maven?
- Difference between Role and GrantedAuthority in Spring Security
- How do I expire a PHP session after 30 minutes?
- How do I break out of nested loops in Java?
- How to get the current working directory in Java?
- How can I avoid Java code in JSP files, using JSP 2?
- Spring security session management and Spring MVC view resolver error
- Spring Security 3.2.2 Logout Redirecting to Wrong Page
- Spring Security: invalid-session-url versus logout-success-url