redirect to form login when expire session
Hi,
I have a mvc application with Spring Security and ExtJs. If the user is not logged the Spring Security automatically redirect to form login, but if the user access the application after expire session the redirect is not correct. I see the redirect in log and browser debugger but it is not complete.
grateful,
Paulo Cordeiro
Code:<?xml version="1.0" encoding="UTF-8"?> <web-app version="2.5" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"> <!-- The definition of the Root Spring Container shared by all Servlets and Filters --> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath:applicationContext.xml /WEB-INF/application-security.xml </param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <!-- Creates the Spring Container shared by all Servlets and Filters --> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.security.web.session.HttpSessionEventPublisher</listener-class> </listener> <!-- Processes application requests --> <servlet> <servlet-name>appServlet</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>appServlet</servlet-name> <url-pattern>/</url-pattern> </servlet-mapping> <session-config> <!-- Default to 1 minute session timeouts for testings --> <session-timeout>1</session-timeout> </session-config> </web-app>
Code:<?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://www.springframework.org/schema/security" xmlns:util="http://www.springframework.org/schema/util" xsi:schemaLocation="http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util-3.1.xsd"> <sec:debug /> <sec:global-method-security pre-post-annotations="enabled" /> <sec:http auto-config="false" use-expressions="true" entry-point-ref="authenticationEntryPoint" > <sec:intercept-url pattern="/login*" access="permitAll" /> <sec:intercept-url pattern="/login*" access="permitAll" /> <sec:intercept-url pattern="/resources/**" access="permitAll" /> <sec:intercept-url pattern="/app/**" access="permitAll" /> <sec:intercept-url pattern="/" access="isAuthenticated()" /> <sec:custom-filter position="FORM_LOGIN_FILTER" ref="authenticationProcessingFilter" /> <sec:custom-filter before="FILTER_SECURITY_INTERCEPTOR" ref="filterSecurityInterceptor" /> <sec:custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" /> <sec:logout logout-url="/logout" delete-cookies="JSESSIONID" invalidate-session="true" logout-success-url="/login_1"/> <sec:access-denied-handler error-page="/accessDenied" /> <sec:session-management session-authentication-strategy-ref="sas" /> </sec:http> <bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter"> <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <constructor-arg name="expiredUrl" value="/session-expired.htm" /> </bean> <bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" /> <bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy"> <constructor-arg name="sessionRegistry" ref="sessionRegistry" /> <property name="maximumSessions" value="1" /> </bean> <bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <constructor-arg value="/login" /> </bean> <bean id="authenticationProcessingFilter" class="com.mycompany.project.security.DpUsernamePasswordAuthenticationFilter"> <property name="authenticationManager" ref="authenticationManager" /> <property name="authenticationSuccessHandler"> <bean class="com.mycompany.project.security.DpAuthenticationSuccessHandler"> <property name="defaultTargetUrl" value="/home" /> </bean> </property> </bean> <bean id="filterSecurityInterceptor" class="com.mycompany.project.security.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="affirmativeBased" /> <property name="securityMetadataSource" ref="securityMetadataSource" /> </bean> <bean id="securityMetadataSource" class="com.mycompany.project.security.DpFilterInvocationSecurityMetadataSource"> <property name="urlProperties"> <util:properties location="/WEB-INF/urls.properties" /> </property> </bean> <bean id="affirmativeBased" class="org.springframework.security.access.vote.AffirmativeBased"> <constructor-arg> <list> <bean class="org.springframework.security.access.vote.RoleVoter" /> <bean class="org.springframework.security.access.vote.AuthenticatedVoter" /> </list> </constructor-arg> </bean> <sec:authentication-manager alias="authenticationManager"> <sec:authentication-provider user-service-ref="jdbcUserService"> <sec:password-encoder hash="sha-256" /> </sec:authentication-provider> </sec:authentication-manager> <bean id="jdbcUserService" class="com.mycompany.project.dao.security.DpUserDao"> <property name="dataSource" ref="dataSource" /> <property name="enableGroups" value="true" /> <property name="enableAuthorities" value="false" /> </bean> </beans>
Reply With Quote
