Spring-boot Spring-Security session timeout

Question

UPDATED QUESTION:

I have a spring-boot 1.1.3.RELEASE project that is using EmbeddedTomcat and Spring-Security. I posted this a while back but that question wasn't answered (My apologies for those that saw that post and it didn't make sense. Hopefully this one is better)

Here is my setup: build.gradle:

project.ext {
    springBootVersion = '1.1.3.RELEASE'
}
dependencies {
    compile("org.springframework.boot:spring-boot-starter-web:$springBootVersion")
    compile("org.springframework.boot:spring-boot-starter-thymeleaf")
    compile("org.springframework.boot:spring-boot-starter-security")
    compile("org.springframework.boot:spring-boot-starter-data-jpa:$springBootVersion")
    compile("org.springframework.security:spring-security-web:4.0.0.M1")
    compile("org.springframework.security:spring-security-config:4.0.0.M1")
    compile('org.thymeleaf.extras:thymeleaf-extras-springsecurity3:2.1.1.RELEASE')


    compile("org.hibernate:hibernate-core:4.3.4.Final")
    compile("org.hibernate:hibernate-entitymanager:4.3.4.Final")
    compile("org.hibernate:hibernate-validator")

    compile("com.h2database:h2:1.3.172")
    compile("joda-time:joda-time:2.3")
//    compile("org.thymeleaf:thymeleaf-spring4")
    compile("org.codehaus.groovy.modules.http-builder:http-builder:0.7.1")
    compile('org.codehaus.groovy:groovy-all:2.2.1')
    compile('org.jadira.usertype:usertype.jodatime:2.0.1')
    compile("org.liquibase:liquibase-core")

    testCompile('org.spockframework:spock-core:1.0-groovy-2.0-SNAPSHOT') {
        exclude group: 'org.codehaus.groovy', module: 'groovy-all'
    }

    testCompile('org.spockframework:spock-spring:1.0-groovy-2.0-SNAPSHOT') {
        exclude group: 'org.spockframework', module: 'spock-core'
        exclude group: 'org.spockframework', module: 'spring-beans'
        exclude group: 'org.spockframework', module: 'spring-test'
        exclude group: 'org.codehaus.groovy', module: 'groovy-all'
    }
    testCompile("org.springframework.boot:spring-boot-starter-test:$springBootVersion")
    testCompile('org.codehaus.groovy.modules.http-builder:http-builder:0.7+')
    testCompile("junit:junit")
}

My Main Class:

@ComponentScan
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class OFAC {

    public static void main(String[] args) {
        ApplicationContext ofac = SpringApplication.run( OFAC.class, args );
    }
}

My primary configuration:

@Configuration
@EnableScheduling
public class OFAConfiguration {

    @Autowired
    private ConfigurationSettings configurationSettings;

    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE)
    public EmbeddedServletContainerCustomizer servletContainerCustomizer() {
        return new SessionTimeoutEmbeddedServletContainerCustomizer();
    }
}

And my embeddedServletContainer recommended by Marten:

public class SessionTimeoutEmbeddedServletContainerCustomizer implements EmbeddedServletContainerCustomizer {

    @Autowired
    private ConfigurationSettings configurationSettings;

    @Override
    public void customize(ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
        int port = 9000;

        TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer;

        if ( configurationSettings.getServerPort() != null ) {
            port = Integer.parseInt( configurationSettings.getServerPort() );
        }
        tomcat.setPort( port );
        tomcat.addErrorPages( new ErrorPage( HttpStatus.NOT_FOUND, "/notfound.html" ) );
    }
}

And my Security Configuration:

@Configuration
@EnableWebMvcSecurity
public class ApplicationSecurity extends WebSecurityConfigurerAdapter {

    @Autowired
    private DataSource datasource;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .authorizeRequests()
                .antMatchers("/").permitAll()
                .antMatchers("/resources/**").permitAll()
                .antMatchers("/css/**").permitAll()
                .antMatchers("/libs/**").permitAll();

        http
                .formLogin().failureUrl("/login?error")
                .defaultSuccessUrl("/")
                .loginPage("/login")
                .permitAll()
                .and()
                .logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).logoutSuccessUrl("/")
                .permitAll();

        http
                .sessionManagement()
                .maximumSessions(1)
                .expiredUrl("/login?expired")
                .maxSessionsPreventsLogin(true)
                .and()
                .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED)
                .invalidSessionUrl("/");

        http
                .authorizeRequests().anyRequest().authenticated();
    }

and

@Order(Ordered.HIGHEST_PRECEDENCE)
@Configuration
public class AuthenticationSecurity extends GlobalAuthenticationConfigurerAdapter {
// no code actually
}

In my application.properties I have a five minute timeout:

server.session-timeout=300

When I start up, I see the following log messages:

2014-07-08 14:02:18.735  INFO 69422 --- [           main] ationConfigEmbeddedWebApplicationContext : Refreshing org.springframework.boot.context.embedded.AnnotationConfigEmbeddedWebApplicationContext@340b9eec: startup date [Tue Jul 08 14:02:18 MDT 2014]; root of context hierarchy
2014-07-08 14:02:20.827  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.scheduling.annotation.SchedulingConfiguration' of type [class org.springframework.scheduling.annotation.SchedulingConfiguration$$EnhancerBySpringCGLIB$$75b53f01] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:20.983  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [class org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration$$EnhancerBySpringCGLIB$$6ac51dc6] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.016  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'transactionAttributeSource' of type [class org.springframework.transaction.annotation.AnnotationTransactionAttributeSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.035  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'transactionInterceptor' of type [class org.springframework.transaction.interceptor.TransactionInterceptor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.047  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.transaction.config.internalTransactionAdvisor' of type [class org.springframework.transaction.interceptor.BeanFactoryTransactionAttributeSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.097  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration' of type [class org.springframework.security.config.annotation.configuration.ObjectPostProcessorConfiguration$$EnhancerBySpringCGLIB$$38601c80] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.118  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'objectPostProcessor' of type [class org.springframework.security.config.annotation.configuration.AutowireBeanFactoryObjectPostProcessor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.120  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@2f8ffdc4' of type [class org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.177  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'authenticationSecurity' of type [class com.edelweissco.ofac.configuration.AuthenticationSecurity$$EnhancerBySpringCGLIB$$85675816] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.199  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'enableGlobalAuthenticationAutowiredConfigurer' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$EnableGlobalAuthenticationAutowiredConfigurer] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.218  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration' of type [class org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration$$EnhancerBySpringCGLIB$$2da1b835] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.219  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration' of type [class org.springframework.security.config.annotation.method.configuration.GlobalMethodSecurityConfiguration$$EnhancerBySpringCGLIB$$c09573b2] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.250  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'methodSecurityMetadataSource' of type [class org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.258  INFO 69422 --- [           main] trationDelegate$BeanPostProcessorChecker : Bean 'metaDataSourceAdvisor' of type [class org.springframework.security.access.intercept.aopalliance.MethodSecurityMetadataSourceAdvisor] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2014-07-08 14:02:21.934  INFO 69422 --- [           main] .t.TomcatEmbeddedServletContainerFactory : Server initialized with port: 9001
2014-07-08 14:02:22.213  INFO 69422 --- [           main] o.apache.catalina.core.StandardService   : Starting service Tomcat
2014-07-08 14:02:22.213  INFO 69422 --- [           main] org.apache.catalina.core.StandardEngine  : Starting Servlet Engine: Apache Tomcat/7.0.54
2014-07-08 14:02:22.363  INFO 69422 --- [ost-startStop-1] o.a.c.c.C.[Tomcat].[localhost].[/]       : Initializing Spring embedded WebApplicationContext
2014-07-08 14:02:22.364  INFO 69422 --- [ost-startStop-1] o.s.web.context.ContextLoader            : Root WebApplicationContext: initialization completed in 3631 ms
2014-07-08 14:02:24.157  INFO 69422 --- [ost-startStop-1] o.s.s.web.DefaultSecurityFilterChain     : Creating filter chain: org.springframework.security.web.util.matcher.AnyRequestMatcher@1, [org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@6e3afd5, org.springframework.security.web.context.SecurityContextPersistenceFilter@96219e4, org.springframework.security.web.header.HeaderWriterFilter@12cad708, org.springframework.security.web.csrf.CsrfFilter@78688290, org.springframework.security.web.authentication.logout.LogoutFilter@655490cd, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@331b7b16, org.springframework.security.web.session.ConcurrentSessionFilter@5d42f8e3, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@750bff35, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@1dd0a8c0, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4e2ccc7b, org.springframework.security.web.session.SessionManagementFilter@7b54be6d, org.springframework.security.web.access.ExceptionTranslationFilter@5497e581, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@16254dd7]
2014-07-08 14:02:24.242  INFO 69422 --- [ost-startStop-1] o.s.b.c.e.ServletRegistrationBean        : Mapping servlet: 'dispatcherServlet' to [/]
2014-07-08 14:02:24.244  INFO 69422 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'springSecurityFilterChain' to: [/*]
2014-07-08 14:02:24.244  INFO 69422 --- [ost-startStop-1] o.s.b.c.embedded.FilterRegistrationBean  : Mapping filter: 'hiddenHttpMethodFilter' to: [/*]
..
2014-07-08 14:02:31.240  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/**/favicon.ico] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:31.357  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/about],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.AboutController.get(org.springframework.ui.Model)
2014-07-08 14:02:31.357  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/admin],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.AdminController.displayUpload(org.springframework.ui.Model)
2014-07-08 14:02:31.358  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/upload],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.CustomerDataController.displayUpload(org.springframework.ui.Model)
2014-07-08 14:02:31.358  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/customerFile],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.CustomerDataController.handleFileUpload(org.springframework.web.multipart.MultipartFile,org.springframework.ui.Model,org.springframework.security.core.Authentication)
2014-07-08 14:02:31.358  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/fileDownloadService],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.util.List<java.lang.String> com.edelweissco.ofac.controller.FileDownloadController.index()
2014-07-08 14:02:31.359  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/search],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.SearchController.getSearchCustomerForm(org.springframework.ui.Model)
2014-07-08 14:02:31.359  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/searchTreasuryData],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.SearchController.searchTreasury(com.edelweissco.ofac.model.SdnSearch,org.springframework.ui.Model)
2014-07-08 14:02:31.360  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/status],methods=[GET],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.StatusController.get(org.springframework.ui.Model)
2014-07-08 14:02:31.360  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/refreshData],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public java.lang.String com.edelweissco.ofac.controller.StatusController.searchCustomer(org.springframework.ui.Model)
2014-07-08 14:02:31.366  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],methods=[],params=[],headers=[],consumes=[],produces=[],custom=[]}" onto public org.springframework.http.ResponseEntity<java.util.Map<java.lang.String, java.lang.Object>> org.springframework.boot.autoconfigure.web.BasicErrorController.error(javax.servlet.http.HttpServletRequest)
2014-07-08 14:02:31.366  INFO 69422 --- [           main] s.w.s.m.m.a.RequestMappingHandlerMapping : Mapped "{[/error],methods=[],params=[],headers=[],consumes=[],produces=[text/html],custom=[]}" onto public org.springframework.web.servlet.ModelAndView org.springframework.boot.autoconfigure.web.BasicErrorController.errorHtml(javax.servlet.http.HttpServletRequest)
2014-07-08 14:02:31.379  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/about] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/status] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/home] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/login] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/search] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/upload] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Root mapping to handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.380  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/admin] onto handler of type [class org.springframework.web.servlet.mvc.ParameterizableViewController]
2014-07-08 14:02:31.397  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:31.397  INFO 69422 --- [           main] o.s.w.s.handler.SimpleUrlHandlerMapping  : Mapped URL path [/webjars/**] onto handler of type [class org.springframework.web.servlet.resource.ResourceHttpRequestHandler]
2014-07-08 14:02:32.907  INFO 69422 --- [           main] o.s.j.e.a.AnnotationMBeanExporter        : Registering beans for JMX exposure on startup
2014-07-08 14:02:33.112  INFO 69422 --- [           main] s.b.c.e.t.TomcatEmbeddedServletContainer : Tomcat started on port(s): 9001/http
2014-07-08

So i am able to log in. But if leave it inactive, I am still logged in and able to use full authorized functionality. I try to login with the same credentials from two different browsers and the second attempt fails with "invalid username/password" so I think the concurrent session setting is being picked up. There isn't any AJAX call being picked up by FireBug or browser dev tools.

Can anyone see what the error is?

It looks like that should work to me (although as Marten says below, some of the config is unecessary, and the build config is schizophrenic). What are the steps to reproduce exactly? — Dave Syer, Jul 06 '14 at 13:37
I updated my post based upon the excellent recommendations - learning Spring Boot & Gradle at the same time might be unwise. I have an spring-mvc app that a user logs in with standard Spring Security (all defaults). Before login, all links redirect to /login. I sit idle for a period of time, and then go back and click another link, which works as if I was still logged in. — sonoerin, Jul 06 '14 at 15:17
Are you sure you waited more than 5 minutes? Maybe your app is keeping the session alive with AJAX requests or something? You can monitor the HTTP traffic with common dev tools in a browser (e.g. Chrome, press F12). — Dave Syer, Jul 06 '14 at 15:38
I tested with Chrome and Firefox for 40 minutes each. I didn't see any networks calls in the dev tools or Firebug. — sonoerin, Jul 06 '14 at 17:44
The `EmbeddedServletContainerCustomizer` should work, but I think it is being called too soon, and the `ServerProperties` is overriding the session timeout. You can make your customizer `Ordered` (I think) to give it higher precedence. Or you can just use the standard `ServerProperties` configuration (i.e. "server.sessionTimeout=300" in `application.properties`). — Dave Syer, Jul 06 '14 at 18:31
I modified my bean definition to be "@Bean @Order(Ordered.HIGHEST_PRECEDENCE)" and removed the hard coded timeout. Now I am using the "server.session-timeout=300" But even after 45 minutes of inactivity, the timeout still does not occur. I even tried removing my class extending "GlobalAuthenticationConfigurerAdapter" just in case. — sonoerin, Jul 08 '14 at 15:53

score 12 · Answer 1 · answered Jul 09 '14 at 19:42

So it would appear that to get the Embedded Tomcat to honor a session timeout, when you use the server.session-timeout value, use it in minutes, not seconds. My previous attempts were with server.session-timeout=300 and after waiting at least 45 minutes, the timeout never occurred. However, I added HttpSessionListener bean with system.outs to message on sessionCreated() and sessionDestroyed(). With an application.properties setting of server.session-timeout=5 I saw the session get destroyed just after 5 minutes of inactivity.

So, I can now control the session length with these parameters. Thank you to M. Deinum and Dave Sayers for your help and advice. If nothing else, you really helped me clean up my code and understand Spring a bit more.

As of Spring Boot v1.0.2, I also find server.session-timeout is in minutes, not in seconds. — Samuli Pahaoja, Aug 04 '14 at 14:18
I recently read about [this topic](https://stackoverflow.com/questions/32501541/what-is-the-default-session-timeout-and-how-to-configure-it-when-using-the-sprin) and in version 1.5.7 it is called `server.session.timeout`. — rocksteady, Oct 24 '17 at 08:45

score 4 · Answer 2 · edited May 31 '17 at 20:46

I suggest you take a look at this which explains how to modify the embedded tomcat. Instead of trying to bootstrap your own container let spring boot do that and use a EmbeddedServletContainerCustomizer to modify what you need.

public class SessionTimeoutEmbeddedServletContainerCustomizer implements EmbeddedServletContainerCustomizer {
    @Override
    public void customize(ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
        TomcatEmbeddedServletContainerFactory tomcat = (TomcatEmbeddedServletContainerFactory) configurableEmbeddedServletContainer;
        tomcat.setSessionTimeout(30, TimeUnit.MINUTES);
        tomcat.addErrorPages(new ErrorPage(HttpStatus.NOT_FOUND, "/notfound.html"));
    }
}

Then remove your container from the configuration and replace it with a @Bean method constructing this customizer. (I would probably add it as a @Bean method to the starter class, that way you have everything related to bootstrapping the application in one class!).

@Configuration
public class OFAConfiguration {

    @Bean
    public EmbeddedServletContainerCustomizer servletContainerCustomizer() {
        return new SessionTimeoutEmbeddedServletContainerCustomizer();
    }
}

The advantage of this is that Spring Boot still does all its magic with the servlet container and you only modify what is needed.

Some other things I noticed first your dependencies are a bit of a mess and your configuration contains to much.

Dependencies

You are mxing Spring Boot 1.0.1 and 1.1.1 and probably also 1.1.3, fix this mixture to prevent weird dependency issues.
YOu include spring-orm version 4.0.0.RC1 whilst this is already on version 4.0.5 and provided by the spring-boot-starter-data-jpa dependency, remove it.

Configuration

Your configuration contains multiple @EnableJpaRepositories which you can remove as Spring Boot detects the presence of Spring Data JPA and will enable this for you as well as the @EnableTransactionManagement

Your main class extends WebMvcConfigurerAdapter which shouldn't be needed as this is also detected and configured by Spring Boot.

@ComponentScan
@EnableAutoConfiguration
@EnableGlobalMethodSecurity(securedEnabled = true)
public class OFAC {
    public static void main(String[] args) {
        ApplicationContext ofac = SpringApplication.run( OFAC.class, args );
    }
}

This should be all you need for your starter class.

Thank you, I still can't get this thing to time out. I made changes in my original question and thought that perhaps adding "sessionManagement().maximumSessions(1).expiredUrl("/") .and().invalidSessionUrl("/");" would address it. But still nothing seem to make it time out. I do see that if I open a different browser, I cannot login concurrently so that is a start. — sonoerin, Jul 08 '14 at 18:53
@M. deinum can you look at this question https://stackoverflow.com/questions/41500031/fetch-role-name-or-log-in-the-user — saurabh kumar, Jan 06 '17 at 08:54

score 4 · Answer 3 · answered May 30 '16 at 11:20

4

as of current version (http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html) there is typo, property is: server.session.timeout

answered May 30 '16 at 11:20

pl.square

499
5
5

score 3 · Answer 4 · answered Nov 13 '16 at 13:24

3

Just to update this, because I went looking for an answer and couldn't find it easily:

You can set the server.session.cookie.max-age=

in your application.properties to force the log out after a certain time.

This one actually uses seconds, not minutes, as the integer value. So set it to something reasonable like 120 for 2 minutes.

answered Nov 13 '16 at 13:24

patrick haggerty

86
2

What configurations would I need? Just add server.session.cookie and it would work? Is it by strict time or inactive time? – JayC Apr 28 '17 at 15:30
@Jesse - "server.session-timeout=1800" means a 30-minute timeout. – Andrei Epure Jul 26 '17 at 14:54

Deepak · Answer 5 · 2019-08-30T09:42:21.253

1

Things change but as of Spring boot 2.1.3 (which has Spring web 5.1.5, optionally adding Spring Session 2.1.4), the property is now

server.servlet.session.timeout=<your-value>><units>

for example the value to be set could be 1800s for 1800 seconds or 30m for 30 minutes

The spring session property spring.session.timeout if not configured falls back to the property above..

edited Aug 30 '19 at 09:42

answered Aug 30 '19 at 09:30

Deepak

3,648
1
22
17

Spring-boot Spring-Security session timeout

5 Answers5

Linked