Spring security: Always redirected to invalid-session-url on logout

1
votes

I have tried all solutions. I am facing 2 issues:

  1. Logout redirects to invalid-session-url
  2. Even when the application is logged out, session timed out event keeps recurring at every set time interval (say 10 mins). This causes login page submit action (Login button) to redirect to invalid-session-url. So if I logout, and try to login after 10 mins (which is session timed out interval), login page again redirects to login?logout=1 (invalid-session-url), instead of logging in application. After that, I am able to login.

Following are the changes I made after which I am facing above issues:

  • I changed the /login page access from http pattern="/login" security="none" to intercept-url pattern="/login" access="isAnonymous()" to implement csrf. I have tried switching access to permitall as well.
  • I have observed in browser, every time I logout, the current JSESSIONID is discarded and a new JSESSIONID is created in the browser, and logout action redirects to invalid-session-url instead of logout-success-url.
  • On logging in again, the JSESSIONID remains same as the newly created JSESSIONID after logout. Shouldn't it change?

Below is the security-context configuration:

<http pattern="/" security="none"/>
<!--<http pattern="/login" security="none"/>-->
<http pattern="/resources/assets/**" security="none"/>
<http pattern="/resources/bootstrap/**" security="none"/>
<http pattern="/resources/config/**" security="none"/>
<http pattern="/resources/css/**" security="none"/>
<http pattern="/resources/data/**" security="none"/>
<http pattern="/resources/font-awesome-4.5.0/**" security="none"/>
<http pattern="/resources/fonts/**" security="none"/>
<http pattern="/resources/images/**" security="none"/>

<http  auto-config="false"  use-expressions="true"  entry-point-ref="loginUrlAuthenticationEntryPoint">

    <!--permitall isAnonymous()-->
    <intercept-url pattern="/login" access="isAnonymous()" />
    <intercept-url pattern="/login?logout=1" access="isAnonymous()" />
    <intercept-url pattern="/login?logout=0" access="isAnonymous()" />
    <intercept-url pattern="/login?logout=2" access="isAnonymous()" />
    <intercept-url pattern="/login?error" access="isAnonymous()" />
    <intercept-url pattern="/**" access="isAuthenticated()" />
    <intercept-url pattern="/user/*" access="isAuthenticated()" />
    <intercept-url pattern="/resources/js/angular/**" access="isAuthenticated()" />

    <custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter" />
    <logout logout-success-url="/login?logout=0" invalidate-session="true" delete-cookies="JSESSIONID" />
    <!--<logout success-handler-ref="customLogoutSuccessHandler" invalidate-session="true" delete-cookies="JSESSIONID"
        newSession/>-->
    <session-management  invalid-session-url="/login?logout=1" session-fixation-protection="migrateSession">
        <concurrency-control max-sessions="1" expired-url="/login?logout=2" />
    </session-management>
    <csrf/>
    <headers/>
</http>

<beans:bean id="loginUrlAuthenticationEntryPoint"
        class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
    <beans:property name="loginFormUrl" value="/login"/>
</beans:bean>


<authentication-manager alias="authenticationManager">
    <authentication-provider ref="customAuthenticationProvider"/>
</authentication-manager>

<beans:bean id="customUsernamePasswordAuthenticationFilter"
        class="com.vitrana.hilit.web.security.CustomAuthenticationFilter" >
    <beans:property name="authenticationManager" ref="authenticationManager"/>
    <beans:property name="authenticationFailureHandler" ref="failureHandler"/>
    <beans:property name="authenticationSuccessHandler" ref="successHandler"/>
    <beans:property name="usernameParameter" value="hdnUserName" />
    <beans:property name="passwordParameter" value="password" />
</beans:bean>
<beans:bean id="successHandler" class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler">
    <beans:property name="defaultTargetUrl" value="/user/dashboard.jsp"/>
</beans:bean>
<beans:bean id="failureHandler" class="com.vitrana.hilit.web.security.UserNameCachingAuthenticationFailureHandler">
    <beans:property name="defaultFailureUrl" value="/login?error"/>
</beans:bean>
<beans:bean id="customLogoutSuccessHandler" class="com.vitrana.hilit.web.security.CustomLogoutSuccessHandler" > </beans:bean>

<beans:bean class="com.vitrana.hilit.web.security.SessionDestroyedListener">
</beans:bean>

Please suggest. Any help is appreciated. Thanks

1
springspring-mvcsessionspring-securitycsrf
You can find your solution here stackoverflow.com/questions/7391735/…Innocuous
I have tried all of these. Didn't work. I cannot add filters=none, as I am using security taglib and csrf on page. Please suggest some other solution.Curiousreed
Did you try removing invalidate-session="true"from <security:logout> element?jlumietu
@jlumietu No. It didn't do anything. The issue is happening since I had to give login anonymous access to make csrf protection work <intercept-url pattern="/login" access="isAnonymous()" />Curiousreed
did you find any solution ?Pri_stack

1 Answers

0
votes

disable spring web security for the end points which are not required authorization . like login page static content etc . once you disable spring security will not validate the session .

@Configuration 
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    public void configure(WebSecurity webSecurity) {
        log.debug("ignore urls for web security.....");
        //Web resources
        webSecurity.ignoring().antMatchers("/uistatic/**");
        webSecurity.ignoring().antMatchers("/css/**");
        webSecurity.ignoring().antMatchers("/js/**");
        webSecurity.ignoring().antMatchers("/img/**");
        webSecurity.ignoring().antMatchers("/images/**");
        webSecurity.ignoring().antMatchers("/index**");
        webSecurity.ignoring().antMatchers("/login**");
    }
}