Geek Answers Handbook

Spring Session & Spring Security - Session Timeout Processing Does Not Work

When I try to add spring-session to an existing Spring MVC project with spring-security, I get the following behavior (EDIT: with tomcat timeout set to 1 minute for testing):

  • With the springSessionRepositoryFilter filter in the documented web.xml, I loaded correctly on the login screen after a minute of inactivity
  • With the springSessionRepositoryFilter filter in the active web.xml, I can continue to use the application at least 5 minutes after the last action.

In addition, it seems that everything works as expected - the session is saved in redis and through restarting webapp, and manually displays the manual cancellation of the session.

Some fragments of my configuration are the incorrect session handler configurations for spring-security, which will force expired sessions to be redirected to the login page:

...
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository">
        <beans:bean class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>
    </beans:constructor-arg>
    <beans:property name="invalidSessionStrategy">
        <beans:bean class="my.CustomInvalidSessionStrategy"/>
    </beans:property>
</beans:bean>
...
<http>
    ...
    <custom-filter position="SESSION_MANAGEMENT_FILTER" ref="sessionManagementFilter"/>
    ...
    <logout delete-cookies="true" invalidate-session="true" logout-url="/signout.html" success-handler-ref="logoutSuccessHandler"/>
</http>

The web.xml filter chain looks like this:

<filter>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>
<filter-mapping>
    <filter-name>springSessionRepositoryFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

<filter>
    <filter-name>springSecurityFilterChain</filter-name>
    <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>
</filter>

<filter-mapping>
    <filter-name>springSecurityFilterChain</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

And (one of) the downloaded Spring context files contains:

<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration"/>

<bean class="org.springframework.security.web.session.HttpSessionEventPublisher"/>

<bean class="org.springframework.data.redis.connection.jedis.JedisConnectionFactory"/>

Hope I just missed something really obvious!

Edit: The versions I used for this attempt were spring -security-4.0.4.RELEASE and spring -session-1.1.1.RELEASE

+4
source share
1 answer

When using Redis, the timeout session is configured as follows:

<bean class="org.springframework.session.data.redis.config.annotation.web.http.RedisHttpSessionConfiguration">
    <property name="maxInactiveIntervalInSeconds" value="10"></property>
</bean>
0
source

More articles:


All Articles