Nikita Vakhutin
Reputation: 53
Spring security re-authentication on some pages
Are there any ways to force re-authentication with Spring security when user performs some very sensitive operations on particular pages?
Upvotes: 3
Views: 919
Answers (2)
Ihor Rybak
Reputation: 3279
If you are using session-based authentication.You may use something like that for this purposes:
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.rememberMe()
.and()
.authorizeRequests()
.anyRequest().permitAll()
.and()
.formLogin()
.loginPage("/logout")
.loginProcessingUrl("/j_spring_security_check")
.defaultSuccessUrl("/my-profile")
.usernameParameter("username")
.passwordParameter("password")
.failureUrl("/login?error")
.and()
.logout()
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/login?logout").deleteCookies("JSESSIONID")
.invalidateHttpSession(true);
}
Spring Security automatically redirects to login page if user preforms not permited requiest. That's why to redirect to logout .loginPage("/logout"), and than redirect to login page after logout .logoutSuccessUrl("/login?logout")
Upvotes: 0
Slava Vedenin
Reputation: 60114
Use
SecurityContextHolder.clearContext();
Or
SecurityContextHolder.getContext().setAuthentication(null);
and
HttpSession session = request.getSession(false);
if (session != null) {
session.invalidate();
}
Upvotes: 2
Related Questions
- How to prevent Spring Security from asking for a password on every page
- Spring Security asking authentication issue
- SPRING SECURITY - ALWAYS MOVING TO authentication-failure-url
- Spring Security Failing Authentication with proper credentials
- Spring Security ignores failed authentication
- Spring Security with MVC does not work for unauthenticated pages
- Spring Security asks authenticated user to log in again and again
- Spring Security Authentication Issue
- Spring security authentication management vulnerability
- Spring Security AuthenticationException persistent?