How to auto-logout when session expire in java spring boot / spring security (HttpSecurity)

4
votes

By auto-logout I mean the browser will be redirected to logout url by itself when session expire, without the user having to click any link that will redirect him to logout url anyway.

this is my SecurityConfig:

import org.springframework.beans.factory.annotation.Autowired; import org.springframework.boot.autoconfigure.security.SecurityProperties; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.core.annotation.Order; import org.springframework.security.access.vote.RoleVoter; import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.builders.WebSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; import org.springframework.security.config.http.SessionCreationPolicy;

/**  * Created by plato on 5/5/2016.  */

@Configuration @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) @Order(SecurityProperties.ACCESS_OVERRIDE_ORDER) public class SecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    DatabaseAuthenticationProvider authenticationProvider;

    @Override
    public void configure(WebSecurity web) throws Exception {
        web.ignoring().antMatchers("/js/**", "/css/**", "/img/**", "/templates/**", "/thymeleaf/**");
    }

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.formLogin()
                .loginPage("/login")
                .failureUrl("/login?failed=true")
                .defaultSuccessUrl("/login-success")
                .and().logout()
                .logoutSuccessUrl("/")
                .and().authorizeRequests()
                .antMatchers("/admin**", "/api/admin/**").hasAuthority("ADMIN")
                .antMatchers("/**")
                .permitAll()
                .anyRequest().authenticated()
                .and().csrf().disable()
                .sessionManagement()
                .maximumSessions(1)
                .expiredUrl("/login?expired-session")
                .and()
                .invalidSessionUrl("/?invalid-session");
    }

    @Autowired
    public void configureGlobal(AuthenticationManagerBuilder auth) throws Exception {
        auth.authenticationProvider(authenticationProvider).eraseCredentials(true);
    }
 }
1
javaspringspring-securityspring-boot
The session has timed out, there is no more information, what would you expect to happen from the logout? - M. Deinum

1 Answers

0
votes

The client would have to poll. There server cannot "push" the redirect.

The client can poll every X amount of time, where X is just a bit longer than the session timeout. If the poll is more frequent than that it would refresh the session and so it would never timeout. The client can reset the timer with every user interaction.