0

I have the following trouble. My spring application is configured in the following way:

Application context security

<http use-expressions="true" pattern="/ext/**" entry-point-ref="loginUrlAuthenticationEntryPoint">

    //Others configuration

    <session-management invalid-session-url="/sessionExpired">
    </session-management>
</http>

My Controller:

@RequestMapping(value="/sessionExpired", method = RequestMethod.GET)
public String sessionExpired(ModelMap model, HttpSession session) {
    return "login";
}

Now my problem is that in the method sessionExpired I should be able to differentiate some property of my user for example:

  @RequestMapping(value="/sessionExpired", method = RequestMethod.GET)
public String sessionExpired(ModelMap model, HttpSession session) {

     //Test1
     Authentication auth = SecurityContextHolder.getContext().getAuthentication();
     MyUser u = (MyUser) authentication.getPrincipal();

     //Test2 
     MyUser u = session.getAttribute("user");

     if(u.isItalian())
        return "loginA"
    else 
        return "loginB"

    return "login";
}

I think that sping security has already cleaned session,request and SecurityContextHolder. Then how can I solve this situation?

Skizzo
  • 2,883
  • 8
  • 52
  • 99
  • one option is to use the sessionExpire event. See how it's done here. Just catch the event and do whatever you want there http://stackoverflow.com/questions/11843010/logout-session-timeout-catching-with-spring-security – george Nov 17 '16 at 23:03

1 Answers1

-2

SessionExpired means there is no Session because it has expired. An option is to catch the Session on an event before it is going to be destroyed. Luckily I found this solution/approach for you:

http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpSessionListener.html

Could look like this:

import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;

public class SessionCounterListener implements HttpSessionListener {

  private static int totalActiveSessions;

  public static int getTotalActiveSession(){
    return totalActiveSessions;
  }

  @Override
  public void sessionCreated(HttpSessionEvent arg0) {
    totalActiveSessions++;
    System.out.println("sessionCreated - add one session into counter");
  }

  @Override
  public void sessionDestroyed(HttpSessionEvent arg0) {
    totalActiveSessions--;
    System.out.println("sessionDestroyed - deduct one session from counter");
  }
}
Erik B from B
  • 37
  • 5
  • ok, I'm trying this solution, but my problem is how to arrive at controller? – Skizzo Nov 17 '16 at 17:07
  • Maybe you can combine it with webListener? – Erik B from B Nov 17 '16 at 17:13
  • Well, after looking around and trying some coding, it seems that you don't have access to the request. So you can't redirect anyone to anywhere. It is really a difficult problem. Best way so far is to store _sessionId_ as cookie and send it with every _request_. When the session is expired you fetch the user data from DB with the _sessionId_ as param. Then you can redirect this `user.isItalian()` to the special page. – Erik B from B Nov 17 '16 at 17:56