What is the maximum time of user inactivity (session expiration time) when using spring security?
When is session expiration date updated? Does it update when we call SecurityContextHolder.getContext().getAuthentication() ? I.e. what is "user activity" for spring security?
Thanks!
Spring Security relies on session management support provided by servlet containers.
Session timeout can be configured in web.xml:
<session-config>
<session-timeout>30</session-timeout> <!-- in minutes -->
</session-config>
otherwise container's default value is used. You can override timeout for particular session using Session.setMaxInactiveInterval() (in seconds).
Session expiration date is updated when any request associated with that session comes in.
Related
You can either set the session timeout (say 60 minutes) for all sessions in web.xml:
<session-config>
<session-timeout>60</session-timeout>
</session-config>
or on a per-session basis using
session.setMaxInactiveInterval(60*60);
the latter you might want to do in a authorizationSuccessHandler.
<form-login authentication-success-handler-ref="authenticationSuccessHandler"/>
My questions:
Are the two approaches mentioned above same ?
If not, how to set inactive timeout as described in second approach
via Spring Configuration XML?
What is the ideal approach to set set session timeout in spring
framework?
Are the two approaches mentioned above same ?
Yes, only difference is in former case session timeout is set by servlet container e.g tomcat and in later case its done by Spring.
If not, how to set inactive timeout as described in second approach
via Spring Configuration XML?
You have to write custom filter to set session timeout, as far as my knowledge goes there nothing where you can set session time out in Spring XML
What is the ideal approach to set set session timeout in spring
framework?
Let the session timeout handle by container like one you define in web.xml, if you are changing session time a lot in running app, then you can consider Spring managed session timeout by using interceptor.
I've been working on a Web based Application on Spring MVC architecture. With the Java EE applications, I'm very much familiar that HttpSession can be timed out in either of these three ways
Invoking invalidate method(generally while logging out).
Setting session time out in web.xml.
Web server itself destroyes sessions objects when heap memory exceeds.
But in my Spring application, HttpSession gets timed out after I make my application idle for several hours eventhough none of the above reasons were causes. I really have no idea what is causing this.
The default session timeout in tomcat is defined in
<TOMCAT_HOME>/conf/web.xml
All configuration parameters of this file can be overridden in web.xml of the webapp.
If you need an infinite session timeout use -1 :
<session-config>
<session-timeout>-1</session-timeout>
</session-config>
I have added entry in web.xml as below,
<session-config>
<session-timeout>10</session-timeout>
</session-config>
and added the below code in my servlet,
HttpSession session = request.getSession();
session.setMaxInactiveInterval(5*60);
Can i override the session time out values in web.xml by using a method setMaxInactiveInterval?
Code will overwrite for that specific session and any number of time you reuse it. (Like the above comment says)
If you want to make sure the reuse you can also say
request.getSession(false);
After first invication
I am using Spring MVC 3.1 and developing a web application.
I am storing loged in user name and password in session.since session is stored in cookie, once cookie is disabled I am not able to log in.
is there is any solution in SPRING MVC to store session other then cookie.
Thanks
You want to use URL rewriting to persist the JSESSIONID in the URL's across requests. You can configure the ServletContext to use the URL tracking mode (instead of COOKIE) as described here.
With Servlet 3.0 you do this:
<session-config>
<cookie-config>
<tracking-mode>URL</tracking-mode>
</cookie-config>
</session-config>
I noticed that in my application (Java EE 6, Spring MVC 3.2.4, Spring Security 3.1.4) JSTL's <c:url> tags start adding the sessionid value to each URL when cookies get disabled. Spring Security works normally. I did not have to do any configuration to achieve this.
Good day. I'm developing a Java web app with Servlets\JSP using Tomcat 7.0. During request from client I put and object into the session and use forward. After the forward processing the same request the object can be retreived if the secure parameter is false otherwise it is not stored in session.
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I've figured out that "...cookies can be created with the 'secure' flag, which ensures that the browser will never transmit the specified cookie over non-SSL...". I've configured Tomcat to use SSL, but that haven't helped. Changing the tracking mode to SSL haven't helped as well. How do session-config and HttpSession object correlate in this case? What could be the problem?