I am pretty new in Spring Security and I have the following problem with a project on which I am working on related to the log out operation when I set the session management setting.
So I have the following situation.
This is my spring-security.xml configuration file:
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns="http://www.springframework.org/schema/security"
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-4.0.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-4.0.xsd">
<http pattern="/resources/**" security="none"/>
<http auto-config="true" use-expressions="true" authentication-manager-ref="authenticationManager">
<intercept-url pattern="/login" access="permitAll" />
<intercept-url pattern="/registrati" access="permitAll" />
<intercept-url pattern="/sessionTimeout" access="permitAll" />
<intercept-url pattern="/error" access="permitAll" />
<intercept-url pattern="/salvaRegistrazione" access="permitAll" />
<intercept-url pattern="/captcha.html" access="permitAll" />
<intercept-url pattern="/monitoraggioCandidature" access="permitAll" />
<intercept-url pattern="/riepilogoDettaglioRegione" access="permitAll" />
<intercept-url pattern="/**" access="isAuthenticated()" />
<logout logout-success-url="/login" logout-url="/logout" />
<form-login login-page="/login"
authentication-failure-url="/login?error=true"
default-target-url="/"
username-parameter="nomeUtente"
password-parameter="password"
login-processing-url="/j_spring_security_check"/>
<csrf disabled="true"/>
<session-management invalid-session-url="/sessionTimeout" />
</http>
<authentication-manager id="authenticationManager" >
<authentication-provider>
<jdbc-user-service data-source-ref="datasource"
users-by-username-query="select des_usr_par, des_psw_par,true from TID001_ANAGPARTECIPA where des_usr_par =?"
authorities-by-username-query="select des_usr_par, prg_par from TID001_ANAGPARTECIPA where des_usr_par = ? "/>
</authentication-provider>
</authentication-manager>
</beans:beans>
And this is the sessionTimeout.html view (I am using Thymeleaf into my project so the extension is .html and not .jsp but this is not important now).
So, how you can see in the previous spring-security.xml file, there is defined this setting related to the session managment:
<session-management invalid-session-url="/sessionTimeout" />
that generate an HTTP request toward the /sessionTimeout resource if the session is expired (or something like this, correct me if it is a wrong assertion). This request is handled by a controller method that show the previous sessionTimeout.html view
@RequestMapping(value = "/sessionTimeout", method = RequestMethod.GET)
public String sessionTimeout(Model model) {
return "sessionTimeout";
}
As you can see into the previous spring-security.xml I am also managing the logout task in the Spring Security standard way, by:
<logout logout-success-url="/login" logout-url="/logout" />
that have to redirect toward the login page associated to a request toward the /login resource.
This worked fine until I have not inserted the session managment inside my spring-security.xml file. The problem is that when I insert this line:
<session-management invalid-session-url="/sessionTimeout" />
into this configuration file, when the user perform the logout operation instead to show the login page it is shown the sessionTimeout.html view as the session is expired or invalid.
What is the cause of this behavior? How can I fix it?
