1
votes

I want to display message to user as "Singed out because of inactive" in login page .

I tried the below code in spring security but its not effected .

sessionManagement().maximumSessions(1).expiredUrl("/login?expired") in httpsecurity .

After session timeout , simple its redirect to the /login only , did't get the expired value .

Using the below versions:

Spring boot 2.0

Spring security 5.0

1
Did you add a session listener? - dur
No , directly i added in http security , sessionManagement().maximumSessions(1).expiredUrl("/login?expired") - Pyla Srenu
That not enough. You have also to add a session listener. - dur
Hey man, have you solved your problem? if yes, post your solution! - Rhadamez Gindri Hercilio

1 Answers

0
votes

This is just a snippet of my entire configuration, but this will check if the session has expired ONLY for authenticated users. When you use .maximumSessions(1) you are dealing with concurrent user management. That's not what you need.

In the following snippet, I check all incoming requests if they are authenticated .anyRequest().authenticated(). If the request is from an authenticated user (I don't check for roles) AND the session has timed out .sessionManagement().invalidSessionUrl(), redirect them back to the index page which has the login form.

@Configuration
@EnableWebSecurity
public class WebSecurityConfiguration extends WebSecurityConfigurerAdapter {

  @Override
  protected void configure(HttpSecurity http) throws Exception {
      http.authorizeRequests()
          .anyRequest().authenticated()
          .and()
          .sessionManagement().invalidSessionUrl("/?sessionexpired=true");
  }

}