Spring Security: Session handling on application start-up - spring

I'm using the following for handling sessions in my web application:
<security:session-management invalid-session-url="/session-expired" session-authentication-strategy-ref="sas"/>
<bean id="sas"
class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<constructor-arg name="sessionRegistry"
ref="sessionRegistry" />
<property name="maximumSessions" value="1" />
</bean>
Whenever I start my application (usually on Tomcat 7) and I try accessing my log-in page, it goes to the /session-expired url. Why is this happening? Shouldn't all the sessions be invalidated once the application has stopped? Or is this more of a browser session issue?

You could still have JSESSIONID cookie on your browser from previous session which no longer valid once you shutdown tomcat, hence you get redirected to the invalid session page. Try deleting your cookies first before accessing the app for the first time after a server start, and check if the behavior is as you intended

Related

Spring Security - Is SavedRequestAwareAuthenticationSuccessHandler broke?

TLDR: Spring is destroying the current HTTP session when redirecting to the login page; this destroys the ability to navigate to the DefaultSavedRequest after login. Why is this happening?
Details -
I am maintaining a legacy Spring application:
Spring Core version 3.1.0
Spring Security version 3.1.0
When trying to utilize SavedRequestAwareAuthenticationSuccessHandler in my login configuration, it is not working. Here is what seems to be happening:
HTTP GET to secured resource: http://localhost:8080/myapp/viewWorkOrder?workOrderNumber=315261
Spring correctly determines that I am not logged in and saves my request:
DEBUG o.s.s.w.s.HttpSessionRequestCache - DefaultSavedRequest added to Session: DefaultSavedRequest[http://localhost:8080/myapp/viewWorkOrder?workOrderNumber=315261]
Spring correctly redirects to my login page:
DEBUG o.s.security.web.FilterChainProxy - /login.jsp at position 1 of 9 in additional filter chain; firing Filter: 'ChannelProcessingFilter'
Spring destroys the current session which effectively destroys the ability to later use the DefaultSavedRequest:
DEBUG o.s.s.w.s.HttpSessionEventPublisher - Publishing event: org.springframework.security.web.session.HttpSessionDestroyedEvent[source=org.apache.catalina.session.StandardSessionFacade#b25f027]
Why or what is causing the current session to be destroyed?
Here are the pertinent configuration details:
<bean id="savedRequestAwareAuthenticationSuccessHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
<property name="defaultTargetUrl" value="/postLogin" />
<property name="targetUrlParameter" value="targetUrl" />
<property name="alwaysUseDefaultTargetUrl" value="false" />
</bean>
<security:http auto-config="false">
<!-- Override default login and logout pages -->
<security:form-login login-page="/login.jsp"
login-processing-url="/j_spring_security_check"
authentication-failure-url="/login.jsp?login_error=1"
authentication-success-handler-ref="savedRequestAwareAuthenticationSuccessHandler"
/>
<security:session-management session-fixation-protection="none"/>
Note that the inclusion of session-management does not seem to affect the feature either way.
Well, this is embarrassing but in the interest of being a good citizen on stack overflow I thought I would share what I found.
After setting a breakpoint in the Spring HttpSessionEventPublisher to see if the stack might give me a clue, it certainly did. Here is a screenshot:
You'll notice that login.jsp is on the stack. Being new to this particular application, I hadn't really even suspected the JSP but here is what I found:
Obviously, removing this scriptlet solved my issue. Now I just wonder why someone did it and what I broke in the process :)

How can i prevent user from accessing the page using the link after logging out?

After logging out i want the user to never access the page even if they know the correct url and type it in. IF they type in the url of a page which they see when they login, it should be redirected to home page.
I used the code in header.jspfile
<core:if test="${userName == null}">
<script>
parent.location.href='logout.html'
</script>
</core:if>
But since the header is included in both about us page and registration page i had to create a different header for those two files without including the above code.
Is there a better solution?
explanation
Login and Navigate to a Page in the URL. Copy the URL of the Page
Logout
In the same browser window, paste the URL
Site is running fine without seeking any login details.
I'm not very sure about what you are asking, but here we go:
I assume you are protecting some private urls by means of spring security, for example:
<security:http use-expressions="true">
<!-- ...more configuration stuff -->
<security:intercept-url pattern="/private/*" access="isFullyAuthenticated()" />
<!-- ...more configuration stuff -->
<security:logout invalidate-session="true" logout-url="/logout" logout-success-url="/yourUrlAfterLogout.html"/>
</security:http>
Then, when user logs out, he can't access private urls anymore.
(UPDATE: End of Spring Security part)
If you want to prevent user accessing these protected pages when he press back button in the navigator or copy the private url, you can configure WebContentInterceptor as follows:
<mvc:interceptors>
<bean id="webContentInterceptor"
class="org.springframework.web.servlet.mvc.WebContentInterceptor">
<property name="cacheSeconds" value="-1" />
<property name="useExpiresHeader" value="true" />
<property name="useCacheControlHeader" value="true" />
<property name="useCacheControlNoStore" value="true" />
</bean>
</mvc:interceptors>

CAS Authentication failing when user navigating from one web app to another web app

We have two web applications. Both are enabled with CAS authentication. We can navigate from web application(Application A) to another one(Application B). Some times sessionManagementFilter is redirecting to session expired page ,when user navigating from Application A to B.We are getting session invalid page for Application B. Here is our spring configuration settings in applicationContext-security.xml file.
Any idea what is the causing the issue. Prompt response is appreciable.
<http entry-point-ref="casProcessingFilterEntryPoint" >
<custom-filter position="CAS_FILTER" ref="casProcessingFilter" />
<custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />
<logout logout-url="/j_spring_security_logout.xhtml" logout-success-url="calltoolSecurity{CAS_URL}/logout" invalidate-session="true" />
</http>
<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
<!-- this permits redirection to session timeout page from javascript/ajax or http -->
<beans:property name="invalidSessionStrategy" ref="actInvalidSessionStrategy" />
</beans:bean>
<beans:bean id="actInvalidSessionStrategy" class="com.avivausa.api.web.JsfRedirectStrategy">
<beans:constructor-arg name="invalidSessionUrl" value="/pages/system/errorSessionExpired.xhtml" />
</beans:bean>
Please make sure that both application using the same CAS server to login.

How Invalidate users sessions when makes logout?

I spent a lot of time to solve this problem, yet still couldn't get it work.
I am using Spring Security. The application will run on multiple servers. I use the option "remember me" on login to save persistent logins in my database.
If a user is connected to server 1, he has a session id in cookies browser. I turn on another server and this user makes authentication and the cookies browser have this session id and the session id of server 1 connection.
When this user logs out in one server or another server, he should be redirected to login page in all servers.
I tried to remove cookies from browser without success. How can I make this work? Any help?
Example scenario: In gmail, if you have 2 tabs open in your account and if you log out from one of them, other tab automatically logs out too. The server 1 doesn't know the information of server 2.. I think my problem is here but I don't know how I can solve this.
This is my security config:
<http auto-config="false" use-expressions="true" disable-url-rewriting="true">
<intercept-url pattern="/login.do" access="permitAll" />
<intercept-url pattern="/**" access="hasRole('ROLE_USER')" />
<remember-me data-source-ref="dataSource" />
<form-login login-page="/login.do" />
<custom-filter position="CONCURRENT_SESSION_FILTER" ref="concurrencyFilter" />
<custom-filter position="LOGOUT_FILTER" ref="logoutFilter" />
<session-management session-authentication-strategy-ref="sas" />
</http>
<!-- <logout logout-url="/j_spring_security_logout" logout-success-url="/" invalidate-session="true" /> -->
<beans:bean id="logoutFilter" class="org.springframework.security.web.authentication.logout.LogoutFilter">
<beans:constructor-arg value="/login.do" />
<beans:constructor-arg>
<beans:list>
<beans:ref bean="rememberMeServices"/>
<beans:ref bean="logoutHandler"/>
</beans:list>
</beans:constructor-arg>
<!-- <beans:property name="filterProcessesUrl" value="/login.do" /> -->
</beans:bean>
<beans:bean id="sessionRegistry" class="org.springframework.security.core.session.SessionRegistryImpl" />
<beans:bean id="concurrencyFilter" class="org.springframework.security.web.session.ConcurrentSessionFilter">
<beans:property name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="expiredUrl" value="/login.do" />
</beans:bean>
<beans:bean id="sas" class="org.springframework.security.web.authentication.session.ConcurrentSessionControlStrategy">
<beans:constructor-arg name="sessionRegistry" ref="sessionRegistry" />
<beans:property name="maximumSessions" value="1" />
</beans:bean>
<authentication-manager alias="authenticationManager">
<authentication-provider user-service-ref="jdbcUserService" />
</authentication-manager>
Here are 3 solutions for your multiple-server scenario:
Use sticky sessions on your load balancer so the user keeps going back to the same server. Then you just invalidate the session when they log out. This is usually coupled with a session failover solution (Tomcat example) so if a server goes down a user can get redirected to a new server that picks up their old session.
Use a distributed cache for sessions (for example Terracotta Web Sessions). Then when they logout invalidate the session and it will be invalidated everywhere.
Another solution is to use a customized Spring Security TokenBasedRememberMeServices as your "login" cookie. If the user does not select remember me, go ahead and set the cookie, but make it a browser session cookie instead of a persistent cookie. All servers will recognize the user and create a session for it. When the user logs out, drop the cookie. You'll also need a custom RememberMeAuthenticationFilter that looks for a authentication token in the session and a missing RememberMe cookie, invalidating the session and clearing security context if that is the case.
I would recommend you to have a look at SessionRegistry .You can check this here . There has been a discussion on this at Is it possible to invalidate a spring security session? . Check this out too
Spring sessions are stored as JsessionID cookies. Check here for a discussion on cookie removal.
The same query has been discussed at Invalid a session when user makes logout (Spring).

how to configure session time out in spring acegi framework?

We are using acegi security for my spring application.
Can you please help how to make user to session time out by 5 mins and go back to login screen?
I tried to configure session-timeout in web.xml. But it is not working.
Thank you for your help and time.
I realized that i need to keep 5 min = 300000 mill secconds on expiring tickets in acegi security configuration xml.
Now i have another questions that how to redirect to application home page on login. Currently it is trying to go to the page where it previously logged out. But i want to make it as home page on what ever condition.
Your help is greatly appreciated. Thank you.
to get forwared to a specific url after a timeout (defined in the web.xml), you may use
<http>
...
<session-management invalid-session-url="/sessionTimeout.htm" />
</http>
Session Management docu
Changing following expiration policy, we can make session log out within time
<bean
id="serviceTicketExpirationPolicy"
class="org.jasig.cas.ticket.support.MultiTimeUseOrTimeoutExpirationPolicy">
<constructor-arg
index="0"
value="1" />
<constructor-arg
index="1"
value="600000" />
</bean>
Cas expiration policies gives more information.
To redirect to login page use following:
<property name="alwaysUseDefaultTargetUrl" value="true"/>
in casProcessingFilter bean configuration

Resources