Why ROLE_ANONYMOUS' session is getting invalid even when visiting an unprotected page

[GyozaKing]

Hi,

I am learning Spring (3.1 specifically). I am writing a sample web project where I don't password protect any internal page just yet; I do allow the users to connect as ANONYMOUS to anywhere. Eventually I will protect the pages with my custom login mechanism- I attach an excerpt from my security file below:

Code:

<http use-expressions="true" disable-url-rewriting="true">
  <intercept-url pattern="/**" access="hasRole('ROLE_ANONYMOUS')"/>
  <form-login login-page="/signin" authentication-failure-handler-ref="customAuthenticationFailureHandler" authentication-success-handler-ref="customAuthenticationSuccessHandler" />
  <logout invalidate-session="true" success-handler-ref="customLogoutHandler" delete-cookies="JSESSIONID" />
  <remember-me data-source-ref="dataSource"/>
  <session-management invalid-session-url="/sessiontimeout.jsp">
    <concurrency-control max-sessions="1"/>
  </session-management>
  <anonymous/>
  <port-mappings>
    <port-mapping http="80" https="8443"/>
  </port-mappings>	
 </http>

I set a very short session timeout period for testing purposes. What troubles me is even the user is ANONYMOUS, and tries to access an unprotected page, once his session is timed out, Spring redirects his request to invalid-session-url.

Is there a way to change this behaviour? What is the best practice to let Spring redirect the invalid-session's to specified URL only when the user has actually logged-in, and tries to access a protected page...

Thanks in advance.

[osang]

hi... any developments on this behavior?

[GyozaKing]

No. Since I didn't find any solution, I've just removed the "invalid-session-url".

[osang]

thanks..

[Rob Winch]

If the session times out then Spring Security will not know if the user was anonymous or if they were authenticated. This is because authentication was stored in the now expired session. This means any information related to a login is gone. The only thing Spring Security will be able to see is that the user's session is no longer valid.

If you wanted, you could probably on authentication success set a cookie to indicate the user was authenticated. When the user logs out that cookie would get removed. Then, if session expired, you could create a custom implementation of InvalidSessionStrategy that pugs into SessionManagementFilter that would check to see if the user is logged in or not before sending them to the session expiration url.