user9658240
Reputation:
Spring Security Session Timeout - Java
My Spring security works well but after some afk time I start getting tons of exceptions when the user goes to the pages.
I noticed that session and principal is null that's why I get error 500.
How do I redirect the user that to the login again?
Or I can simply remove the session timeout (i dont really need it)
@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(securedEnabled=true)
@ComponentScan("pt.impactzero.atp")
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
@Autowired
private MyUserDetailsService myUserDetailsService;
@Autowired
private AuthenticationSuccessHandler authenticationSuccessHandler;
@Autowired
private LogoutSuccessHandler logoutSuccessHandler;
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().antMatchers("/").hasAnyRole("Administrator" , "Member")
.and()
.formLogin()
.loginPage("/login").permitAll()
.defaultSuccessUrl("/dashboard",true)
.failureUrl("/login?error")
.successHandler(authenticationSuccessHandler)
.and()
.logout()
.logoutUrl("/logout").permitAll()
.logoutSuccessUrl("/login")
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.csrf().disable();
}
@Override
public void configure(WebSecurity web) {
web.httpFirewall(allowUrlEncodedSlashHttpFirewall());
}
@Autowired
public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(myUserDetailsService).passwordEncoder(passwordEncoder());
}
@Bean
public PasswordEncoder passwordEncoder() {
BCryptPasswordEncoder passwordEncoder = new BCryptPasswordEncoder();
return passwordEncoder;
}
@Bean
public HttpFirewall allowUrlEncodedSlashHttpFirewall() {
DefaultHttpFirewall firewall = new DefaultHttpFirewall();
firewall.setAllowUrlEncodedSlash(true);
return firewall;
}
@Bean
public CommonsMultipartResolver filterMultipartResolver(){
return new CommonsMultipartResolver();
}
//Online users
@Bean
public ActiveUsers activeUsers(){
return new ActiveUsers();
}
}
Upvotes: 0
Views: 876
Answers (1)
William_Zheng
Reputation: 34
If you want disable session, you can:
@Override
protected void configure(HttpSecurity http) throws Exception {
// disable session
http.sessionManagement().disable()
.authorizeRequests().antMatchers("/").hasAnyRole("Administrator" , "Member")
.and()
.formLogin()
.loginPage("/login").permitAll()
.defaultSuccessUrl("/dashboard",true)
.failureUrl("/login?error")
.successHandler(authenticationSuccessHandler)
.and()
.logout()
.logoutUrl("/logout").permitAll()
.logoutSuccessUrl("/login")
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.csrf().disable();
}
if you want redirect user to login page, you can try this:
@Override
protected void configure(HttpSecurity http) throws Exception {
// redirect user to login page
http.sessionManagement().invalidSessionUrl("http://your.login.page").and()
.authorizeRequests().antMatchers("/").hasAnyRole("Administrator" , "Member")
.and()
.formLogin()
.loginPage("/login").permitAll()
.defaultSuccessUrl("/dashboard",true)
.failureUrl("/login?error")
.successHandler(authenticationSuccessHandler)
.and()
.logout()
.logoutUrl("/logout").permitAll()
.logoutSuccessUrl("/login")
.logoutSuccessHandler(logoutSuccessHandler)
.and()
.csrf().disable();
}
Upvotes: 1
Related Questions
- Spring Session & Spring Security - session timeout handling not working
- Login session timeout
- Spring security session time out
- Spring Security session timeout is too short
- How to turn off HTTP session timeout in Spring Security?
- Spring: Session timeout with java based configurations
- Spring Security Requirements and questions
- Spring 3.1: Handling session timeout
- Spring security session expiration
- spring security session timeout