I'm writing a web application with Spring boot, Spring web flow and thymeleaf. When the user session expires the csrf token in the registration form expires.
How can I handle the session expiration showing a template file in Spring web flow?
Session should be handled by Spring Security. You can redirect the current user to another page by adding configuration like this:
http.sessionManagement()
.expiredUrl("/sessionExpired.html")
.invalidSessionUrl("/invalidSession.html");
In Thymeleaf, you can use session variable and add th:if attribute to check if session exist or something similar:
${session.isEmpty()}
Check this answer https://stackoverflow.com/a/22120387/2230060
Related
In my app I'm using Spring Session (with redis). Now I need to add CSRF prevention.
I have to handle the frontend app + clients over REST.
If my understanding is correct, without the use of spring security etc. on login I need to create a token, store it in redis with session id association and return it to the client (as header for example).
And then on every request I need to check the token passed as the header if it's correct to prevent CSRF?
I am very new to Spring boot security JWT tokens please give me suggestions on my requirement.
I want to use JWT tokens for Spring boot web application. Means I have rest controllers to supply data to frontend the frontend will request data from Rest Controller. Here the token exchange comes my requirement is User login once in the application and he got token no problem, here the token expiry time is 30 minutes. Here is the problem the user contentiously working on the application after 30 minutes the page expired and asking for new token but in normal web applications if user continuously working the session time automatically refreshed. I know token based authentication is stateless but please help me how to achieve this with auto refresh token like session.
I developed a web application using spring and hibernate. By using Spring Security , i am restricting one session per user. When user try to attempt multiple login then old session will be invalidated and new one will be active.I have registered HttpSessionListener in my web.xml file.In sessionDistroyed method i am writing some functionality that will be executed when Http Session getting invalidating.
Now problem is when a single user try to do multiple login ,spring security expiring the old session but not invalidating the old session.So in that case sessionDistroyed method not being executed.But i want sessionDistroyed method to be called when spring security expiring the old session.
Can anyone please help to resolve this problem.
I am using Spring Boot with Spring Session for storing session data. Users log in to the application with Spring Social. As a result, the saved security context has a SocialAuthenticationToken. This means that other web apps sharing the session data need to use Spring Social and also have access to the social tokens.
What I'd like to do is save the sessionAttr:SPRING_SECURITY_CONTEXT with a token that is available through Spring Security only. Furthermore, I'd like to add a second Redis key for the social information.
Where are the extension points for adding this kind of customization to Spring Session? I would like it to be as unobtrusive as possible.
I want to integrate spring security in REST web services but when the url is hit default login page displayed by the Spring Security. How I can authenticate REST web service without any displaying any login page or any JSP page.
You can configure Spring security in your application, using preAuthorization in #EnableGlobalSecurityMEthod ~, I think is this annotation. In your restservice, using #PreAuthorization("<role>"), I think is this annotation. This works very good.
If you have basic authentication, then you can simply post username/password encoded in Authorization http header from client.
Or you can have PreAuthenticatedAuthenticationProvider configured with a pre-authentication RequestHeaderAuthenticationFilter