Getting error while reading value from property file in spring security:session-management tag

Question

I need to implement session management in spring security but I am getting an error while deploying the application on tomcat. Application is trying to fetch invalid-session-url and expired-url property values from property file but getting error on deplement.

<security:http entry-point-ref="casAuthenticationEntryPoint" auto-config="true">
    <security:intercept-url pattern="/*" access="ROLE_USER"/>
    <security:custom-filter position="CAS_FILTER" ref="casAuthenticationFilter"/>
    <security:logout invalidate-session="true" logout-url="/logout" logout-success-url="#{CAS_server}/logout?service=#{CAS_application}/" delete-cookies="JSESSIONID"/>
    <security:session-management invalid-session-url="#{CAS_server}/logout?service=#{CAS_application}" session-fixation-protection="newSession" >
        <security:concurrency-control max-sessions="1"  expired-url="#{CAS_server}/logout?service=#{CAS_application}" error-if-maximum-exceeded="true" />
    </security:session-management>
</security:http>

I am only getting this error on session-management tag. Any one have any idea.

score 0 · Answer 1 · answered Sep 26 '17 at 12:45

Quickly configured a Spring security app and my configuration contain following and it works fine ( note the injection of properties in session management tag)

test.properties

mytestservice=MyApp
loginurl=/my-login.html
invalidsessionurl=/my-login.html

Spring security config

<bean id="webPropertyConfigurer"
        class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="ignoreResourceNotFound" value="true" />
        <property name="ignoreUnresolvablePlaceholders" value="true" />
        <property name="locations">
            <list>
                <value>classpath:test.properties</value>
            </list>
        </property>
    </bean>



    <security:http>
        <security:intercept-url pattern="/my-login.jsp" access="permitAll" />
        <security:intercept-url pattern="/**" access="hasRole('USER')" />
        <security:form-login login-page="${loginurl}"
                             authentication-failure-url="${loginurl}?error" />
        <security:http-basic />
        <security:session-management invalid-session-url="${invalidsessionurl}/logout?service=${mytestservice}" session-fixation-protection="newSession" />
        <security:logout />
    </security:http>

I am fetching these value using JNDI lookup but getting error onlu for session management tag. — sandeep bhatt, Sep 26 '17 at 12:54
Caused by: java.lang.IllegalArgumentException: url must start with '/' or with 'http(s)' — sandeep bhatt, Sep 26 '17 at 12:56
This is a validation error thrown by Spring security - Either your url string which you are getting from JNDI lookup is null or empty OR your url does not start with trailing slash or http(s). For e.g., in my case if I give the loginurl=my-login.html ( here I have removed the slash), I get similar error at application startup. So the url has to be either relative starting with slash or absolute with protocol http(s) in beginning. — Shailendra, Sep 26 '17 at 13:09

Getting error while reading value from property file in spring security:session-management tag

1 Answers1