All geek questions in one place

Why an anonymous user is redirected to expiredsessionurl on Spring Security

I'm really trying to understand how Spring Security works, but I'm a little lost at the moment. Here is a simple scenario:

  • User visits website homepage but is not logged in
  • SecurityContextPersistenceFilter registers that the SecurityContext was not available and a new one will be created.
  • AnonymousAuthenticationFilter populates SecurityContextHolder with an anonymous token
  • Session is created with ID = C2A35ED5A41E29865FF53162B0024D52
  • The user allows the page to be idle before the session expires
  • The user again clicks on the About page (or the home page)
  • SecurityContextPersistenceFilter it registers again that there is no SecurityContext and a new one will be created.
  • AnonymousAuthenticationFilter fills SecurityContextHolder again with anonymous token
  • SessionManagementFilter Logs that requested session ID C2A35ED5A41E29865FF53162B0024D52 are not valid
  • SessionManagementFilter records that it starts a new session and redirects to / invalidsession.

The pages are set to .authorizeRequests().antMatchers("/","/home","/about").permitAll().I included invalid parameter session to handle authenticated users .sessionManagement().invalidSessionUrl("/errors/invalidSession"). If I comment on this option, then everything described above is exactly the same EXCLUSION for step # 10 - it SessionManagementFiltersees that the requested session identifier is invalid (# 9), but DOES NOT start a new session and perform a redirect (# 10).

? , , , .. ? , ? , - , , , . , http-.

( ) . .sessionManagement().invalidSessionUrl("/errors/invalidSession") , . RememberMe , anon. RememberMe, , TimeMe .

, ( ). , , , , RememberMe.

, SessionManagementFilter

if (invalidSessionStrategy != null) {
    invalidSessionStrategy
        .onInvalidSessionDetected(request, response);
    return;
}

.sessionManagement().invalidSessionUrl , SimpleRedirectInvalidSessionStrategy, :

if (createNewSession) {
    request.getSession();
}
redirectStrategy.sendRedirect(request, response, destinationUrl);

createNewSession setCreateNewSession(boolean createNewSession), :

, ( , ). , , URL- SessionManagementFilter.

, , .sessionManagement().invalidSessionUrl , . , , - , SessionManagementFilter, / "createNewSession" (?). <%@ page session="false" %> SO - JSP page = "false" ? - . Spring , . .

+4
1

, , Spring Security, , . , , .

:

@Override
public void configure(WebSecurity web) throws Exception
{
    web
    .ignoring()
        .antMatchers("/", "/home", "/about", "/login**", "/thankyou", "/user/signup**", "/resources/**")
    ;
}

, , , .

( Java Spring noob, ) SO-:

Spring

Spring

SimpleRedirectInvalidSessionStrategy final , ( , , ). , , , cookie , authUser ( , - ). cookie LoginSuccessHandler RememberMeSuccessHandler , :

authCookie.setCookie(request, response, "anonymousUser");
or
authCookie.setCookie(request, response, authentication.getName());

- /. CustomLogoutSuccessHandler anonymousUser

:

@Override
public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) 
    throws IOException, ServletException {

    String url = destinationUrl;

    //reset context default value
    redirectStrategy.setContextRelative(false);

    if (authCookie.isCurrentCookieAnonymous()) {
        //pass the URL originally requested by the anonymous user
        url = request.getRequestURI();
        //the URL needs to have the context removed
        redirectStrategy.setContextRelative(true);
    }

    //always revert to anonymous user
    authCookie.setCookie(request, response, "anonymousUser");

    logger.debug("Starting new session (if required) and redirecting to '" + url + "'");

    if (createNewSession)
        request.getSession();

    redirectStrategy.sendRedirect(request, response, url);
}

, , .

SecurityConfig :

@Bean
public SessionManagementBeanPostProcessor sessionManagementBeanPostProcessor() {
    return new SessionManagementBeanPostProcessor();
}

protected static class SessionManagementBeanPostProcessor implements BeanPostProcessor {

    @Override
    public Object postProcessBeforeInitialization(Object bean, String beanName) {
        if (bean instanceof SessionManagementFilter) {
            SessionManagementFilter filter = (SessionManagementFilter) bean;
            filter.setInvalidSessionStrategy(new RedirectInvalidSession("/errors/invalidSession"));
        }
        return bean;
    }

    @Override
    public Object postProcessAfterInitialization(Object bean, String beanName) {
        return bean;
    }
}

, , .

+2

Source: https://habr.com/ru/post/1608852/

More articles:


All Articles