Spring Basic Security Configuration

Question

Spring Basic Security Configuration

I would like to configure spring MVC application using spring security as follows.

Only one simultaneous entry is allowed.
After an HTTP session, the user will be redirected to /security/sessionTimeout.html
When the user logs in, he will be redirected to the "/" folder.
When users log out, it will also be redirected to "/".

I configured it as follows:

<security:http> <security:form-login login-page="/security/login.html" login-processing-url="/login" authentication-failure-url="/login.jsp?login_error=1" default-target-url="/"/> <security:session-management invalid-session-url="/security/sessionTimeout.html"> <security:concurrency-control max-sessions="1" /> </security:session-management> <security:logout logout-url="/logout" logout-success-url="/"/> </security:http>

and I have the following problems:

I can log in to the same account on two different browsers (concurrency does not work)
When I am logged out, I am redirected to "/security/sessionTimeout.html" instead of "/".

I followed the spring security reference. What am I doing wrong?

Updated: This is what my web.xml looks like.

  <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <context-param> <param-name>contextConfigLocation</param-name> <param-value>WEB-INF/springSecurity-servlet.xml</param-value> </context-param> <display-name>SpringSecurity</display-name> <servlet> <servlet-name>springSecurity</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>springSecurity</servlet-name> <url-pattern>*.html</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>springSecurity</servlet-name> <url-pattern>*.do</url-pattern> </servlet-mapping> <servlet-mapping> <servlet-name>springSecurity</servlet-name> <url-pattern>/index.html</url-pattern> </servlet-mapping> <welcome-file-list> <welcome-file>index.html</welcome-file> </welcome-file-list>

Update 2 : just run log4j in debug mode, and this is what I got when I clicked on exit:

 DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 1 of 11 in additional filter chain; firing Filter: 'ConcurrentSessionFilter' DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 2 of 11 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter' DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:130) - No HttpSession currently exists DEBUG [http-8080-2] (HttpSessionSecurityContextRepository.java:88) - No SecurityContext was available from the HttpSession: null. A new one will be created. DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 3 of 11 in additional filter chain; firing Filter: 'LogoutFilter' DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 4 of 11 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter' DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 5 of 11 in additional filter chain; firing Filter: 'BasicAuthenticationFilter' DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 6 of 11 in additional filter chain; firing Filter: 'RequestCacheAwareFilter' DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 7 of 11 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter' DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 8 of 11 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter' DEBUG [http-8080-2] (AnonymousAuthenticationFilter.java:67) - Populated SecurityContextHolder with anonymous token: 'org.sprin gframework.security.authentication.AnonymousAuthenticationToken@ 9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.sprin gframework.security.web.authentication.WebAuthenticationDetails@ b364: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' DEBUG [http-8080-2] (FilterChainProxy.java:375) - /index.html at position 9 of 11 in additional filter chain; firing Filter: 'SessionManagementFilter' DEBUG [http-8080-2] (SessionManagementFilter.java:87) - Requested session IDD8429BBAAA9561A97E1D2350ED63BC35 is invalid. DEBUG [http-8080-2] (SessionManagementFilter.java:90) - Starting new session (if required) and redirecting to '/security/sessionTimeout.html'

it looks like I have a session control filter applied on /index.html and then the session does not exist. how can i solve it?

+7

spring spring-mvc spring-security configuration

danny.lesnik Jul 18 '11 at 20:05

source share

1 answer

matt b · Accepted Answer · 2011-07-18T20:15:59+0000

From Spring Security Documentation :

To use concurrent session support, you need to add the following to web.xml:

 <listener> <listener-class> org.springframework.security.web.session.HttpSessionEventPublisher </listener-class> </listener>

Have you added this?

Spring Basic Security Configuration

More articles: