Mar 8th, 2011, 09:56 AM
execute additional code on session timeout
is there a way of executing additional code when a page has been requested, but the session has timed out?
I have configured my application to redirect the user to the login page using the invalid-session-url attribute of the session-management tag. But i need to delete user specific pictures in this case, so it would be nice if there exists a way similar to this one (which does not work, because it seems that the user is logged out already when session expired):
Mapping the invalid-session-url to a controller, there I could handle this case and add some necessary code. I would logout the user and invalidate the session manually.
Mar 8th, 2011, 11:41 AM
Session-timeout is controlled by the servlet container. Use an HttpSessionListener if you want to do something when the session is destroyed.
Mar 8th, 2011, 12:00 PM
OK this works, but I need the Authentication object of the current SecurityContext, which seems to be null already, when the sessionDestroyed method is called. I hope there is a way for this?
Mar 8th, 2011, 12:05 PM
The sessionDestroyed method is not called in response to a user request, so there won't be any thread-local security context available. You will need to read the information directly from the session attribute.
Either that or cache whatever information your application needs separately in the session under your own attribute name.
Mar 8th, 2011, 01:05 PM
thank you, I can get the SecurityContext out of the session via calling getAttribute("SPRING_SECURITY_CONTEXT"). Then I can access my custom userdetails object, too.
Thank you for your help