Reputation: 87
How to auto-logout when session expire in java spring boot / spring security (HttpSecurity)
By auto-logout I mean the browser will be redirected to logout url by itself when session expire, without the user having to click any link that will redirect him to logout url anyway.
this is my SecurityConfig:
import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.access.vote.RoleVoter; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy;
/** * Created by plato on 5/5/2016. */
@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
DatabaseAuthenticationProvider authenticationProvider;
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/js/**", "/css/**", "/img/**", "/templates/**", "/thymeleaf/**");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http.formLogin()
.loginPage("/login")
.failureUrl("/login?failed=true")
.defaultSuccessUrl("/login-success")
.and().logout()
.logoutSuccessUrl("/")
.and().authorizeRequests()
.antMatchers("/admin**", "/api/admin/**").hasAuthority("ADMIN")
.antMatchers("/**")
.permitAll()
.anyRequest().authenticated()
.and().csrf().disable()
.sessionManagement()
.maximumSessions(1)
.expiredUrl("/login?expired-session")
.and()
.invalidSessionUrl("/?invalid-session");
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.authenticationProvider(authenticationProvider).eraseCredentials(true);
}
}
Upvotes: 4
Views: 5477
Answers (1)
Reputation: 395
The client would have to poll. There server cannot "push" the redirect.
The client can poll every X amount of time, where X is just a bit longer than the session timeout. If the poll is more frequent than that it would refresh the session and so it would never timeout. The client can reset the timer with every user interaction.
Upvotes: 0
Related Questions
- Logout/Session timeout catching with spring security
- How to log out automatically with Spring Security
- Implement 'logout' functionality in Spring Boot
- Spring security logout handling
- How to expire users timeout session programmatically
- Spring security logout after session timeout
- Making spring security session expired after user inactivity
- How do I create a logout with Spring Security?
- How to invalidate session on logout in Spring
- handle session expired event in spring based web application