5

I use Spring Security 3 in my JSF2 webapp.

I have a security rule to provide session timeouts:

<session-management invalid-session-url="/faces/paginas/autenticacion/login.xhtml?error=1" />

So that when the session has expired and the user clicks on any link, he is redirected to the login page. In this page I check for the error param, and show a message to the user saying the session has expired.

But I have 2 problems:

(1) When I startup the app the first time (it tries to show the home page), I'm redirected to the login page saying session has expired. I think that this may be happening because the 1st time you run the app, the session is a new one, and Spring Security perhaps "thinks" he has expired (doesn't distinguish betwen a new session and a timeout).

(2) If the session has expired for anonymous users (not yet authenticated), I'm redirected to the login page timeout too. I don't want this behaviour for non-authenticated users, I just want to check the timeouts for authenticated users.

How can I solve both of these problems?

Thank you in advance.

choquero70
  • 4,470
  • 2
  • 28
  • 48

1 Answers1

6

You want to use the expired-session-url property for expired sessions, not the invalid-session-url. They are for two different things.

cdeszaq
  • 30,869
  • 25
  • 117
  • 173
  • I'm using version 3.0.7 of Spring Security, and there's no "expired-session-url" property in it. In the Reference Documentation of 3.0.7, they use the "invalid-session-url" property for detecting timeouts (page number 15 of the pdf doc). But, as you say, invalid session is not the same than expired session. Do you know any solutions? – choquero70 Jan 23 '12 at 23:36
  • To get the flexibility you are looking for (being able to differentiate between missing and invalid sessions), you may need to switch to a slightly more advanced configuration. Section11.3 of the docs indicates that there _is_ an `expiredUrl` property on the concurrency filter: http://static.springsource.org/spring-security/site/docs/3.0.x/reference/session-mgmt.html – cdeszaq Jan 24 '12 at 13:04
  • This answer also may help you: http://stackoverflow.com/questions/2693268/spring-security-session-expiration-without-redirect-to-expired-url – cdeszaq Jan 24 '12 at 13:05
  • 1
    Thank you, I will try what you said. What about problem (2) of my question? Do you know how to check the timeouts just for authenticated users? (not for anonimous users who did not authenticate yet). – choquero70 Jan 24 '12 at 19:06
  • 1
    Given the way sessions are expired (ie. they cease to exist), it will be hard to tell if the person was authenticated or unauthenticated. You _could_ use an additional cookie (or manipulate the session cookie) to store that information, but in either case you would likely need to also implement a filter in the Spring Security filter chain to intercept that and deal with it. Likely, Spring Security already has a place to plug in your own session handler, but I don't know off the top of my head. I would highly recommend learning the framework in-depth if you need to customize it heavily. – cdeszaq Jan 24 '12 at 21:45
  • Thank you very much @cdeszaq, I will keep on studying the framework to see if I find somthing that fits my requirement. I thought it would be easier to implement, as it isn't a strange requirement that unauthenticated users not being redirected to a expired-session-url while they are navigating through unprotected pages, it has no sense, because they are not logged in. – choquero70 Jan 24 '12 at 23:17
  • 1
    Finally I solved this problem with a custom session managment filter. See this: [Avoid Timeout for not protected pages](http://stackoverflow.com/questions/9219739/spring-security-getting-the-acess-attributes-of-patterns-in-intercept-url) – choquero70 Mar 21 '12 at 00:34