I have an app with multiple roles. First, I login with a role. Then in another tab, I try to login with another role, but intentionally the login failed because I put an incorrect password. Then, when I go to the other tab, where I am logued, if I click a menu option, then the application go to the login page, as if I had logged out.
This is my spring security configuration.
http
.csrf().disable()
.authorizeRequests()
.antMatchers("/j_spring_security_check*","/login*","/adminLogin*", "/superadminLogin*", "/logout*", "/signin/**", "/signup/**",
"/user/registration*", "/registrationConfirm*", "/expiredAccount*", "/registration*",
"/badUser*", "/user/resendRegistrationToken*" ,"/forgetPassword*", "/adminForgetPassword*", "/resetPassword*","/user/resetPassword*", "/updatePassword*",
"/updatePassword*", "/user/updatePassword*", "/user/adminResetPassword*", "/registrationAdminConfirm*",
"/emailError*", "/resources/**","/old/user/registration*","/successRegister*", "/user/setPassword*","/setPassword*", "/accountActivation*",
"/ayuda*", "/avisoLegal*", "/cookies*", "/activeAdminAccount*", "/user/changePassword*", "/changePassword*",
"/restablecerPasswordCode*", "/restablecerPassword*","/proteccionDatos*",
"/comercializadoraLogin*", "/registrationComercializadora*", "/comercializadora/registration*",
"/comercializadora/resetPassword*", "/forgetPasswordComercializadora*", "/accountActivationComercializadora*",
"/comercializadora/changePassword*", "/restablecerPasswordComercializadora*",
"/comercializadora/getComercializadoras*", "/registrationRepConfirm*", "/backOfficeLogin*").permitAll()
.antMatchers("/invalidSession*").anonymous()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/adminLogin.html")
.loginProcessingUrl("/j_spring_security_check")
.defaultSuccessUrl("/adminConsole.html")
.failureUrl("/adminLogin.html?error=true")
.failureHandler(misConsumosAuthenticationFailureHandler)
.successHandler(myAuthenticationSuccessHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.formLogin()
.loginPage("/superadminLogin.html")
.loginProcessingUrl("/j_spring_security_check")
.defaultSuccessUrl("/admin.html")
.failureUrl("/superadminLogin.html?error=true")
.failureHandler(misConsumosAuthenticationFailureHandler)
.successHandler(myAuthenticationSuccessHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.formLogin()
.loginPage("/backOfficeLogin.html")
.loginProcessingUrl("/j_spring_security_check")
.defaultSuccessUrl("/backOfficeConsole.html")
.failureUrl("/backOfficeLogin.html?error=true")
.failureHandler(misConsumosAuthenticationFailureHandler)
.successHandler(myAuthenticationSuccessHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.formLogin()
.loginPage("/comercializadoraLogin.html")
.loginProcessingUrl("/j_spring_security_check")
.defaultSuccessUrl("/comercializadoraCansole.html")
.failureUrl("/comercializadoraLogin.html?error=true")
.failureHandler(misConsumosAuthenticationFailureHandler)
.successHandler(myAuthenticationSuccessHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.formLogin()
.loginPage("/login.html")
.loginProcessingUrl("/j_spring_security_check")
.defaultSuccessUrl("/homepage.html")
.failureUrl("/login.html?error=true")
.failureHandler(misConsumosAuthenticationFailureHandler)
.successHandler(myAuthenticationSuccessHandler)
.usernameParameter("j_username")
.passwordParameter("j_password")
.permitAll()
.and()
.addFilterBefore((Filter) ajaxSessionFilter, SessionManagementFilter.class)
.sessionManagement()
//.invalidSessionUrl("/invalidSession.html")
.invalidSessionUrl("/login.html")
.sessionFixation()//.none()
.changeSessionId()
.and()
.logout()
.invalidateHttpSession(false)
.logoutUrl("/j_spring_security_logout")
.logoutSuccessUrl("/login.html")
.logoutSuccessHandler(misConsumosLogoutHandler)
.deleteCookies("JSESSIONID")
.permitAll();
Why does this happen? Is there a way to remain logged into the first tab?
Thanks,
Daniel
