Spring Security Principal Incorrectly Persisted
Hello,
My web application is using Spring Security and everything seems fine except for one thing. Once I authenticate a user in one browser they are always authenticated. If I close all instances of a certain broswer (for example Chrom) and open a new instance, I'm not prompted for authentication and proceed directly to the secured resouce. If I bounce my local dev server then I'm prompted as expected. I need a sticky session but not that sticky. Any ideas why Spring doesn't prompt me again after closing all browser instances? I'm using spring-security*3.1.0.M1 and spring-core-3.0.5.RELEASE. Thanks for the assistance!
security context file(removed the xml and schema definitions):
Code:<global-method-security secured-annotations="enabled"> </global-method-security> <http security="none" pattern="/services/rest-api/1.0/**" /> <http security="none" pattern="/preregistered/**" /> <http access-denied-page="/auth/denied.html"> <intercept-url pattern="/**/*.xhtml" access="ROLE_NONE_GETS_ACCESS" /> <intercept-url pattern="/auth/**" access="ROLE_ANONYMOUS,ROLE_USER" /> <intercept-url pattern="/auth/*" access="ROLE_ANONYMOUS" /> <intercept-url pattern="/**" access="ROLE_USER" /> <form-login login-processing-url="/j_spring_security_check.html" login-page="/auth/login.html" default-target-url="/registered/home.html" authentication-failure-url="/auth/login.html?_dc=45" /> <logout logout-url="/auth/logout.html" logout-success-url="/" /> <anonymous username="guest" granted-authority="ROLE_ANONYMOUS"/> <remember-me user-service-ref="userManager" key="valid key here"/> </http> <!-- Configure the authentication provider --> <authentication-manager> <authentication-provider user-service-ref="userManager"> <password-encoder ref="passwordEncoder" /> </authentication-provider> </authentication-manager>
Reply With Quote
