We have a project on Spring Framework. It contains Spring Security with this config:
@Override
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests()
.antMatchers(LOGIN_URL + "/**").permitAll()
.antMatchers("/resources/**").permitAll()
.antMatchers("/**").access(<...>)
.and()
.formLogin()
.loginPage(LOGIN_URL)
.defaultSuccessUrl(LOGIN_URL + "/success", true)
.failureUrl(LOGIN_URL + "/error")
.usernameParameter("username").passwordParameter("password")
.and()
.logout().logoutSuccessUrl(LOGOUT_URL)
.and()
.csrf()
.and()
.securityContext().securityContextRepository(reloadUserAuthoritiesService)
.and()
.sessionManagement()
.maximumSessions(1)
.sessionRegistry(sessionRegistry)
.expiredUrl(LOGIN_URL)
;
}
It works on one Apache Tomcat server. And if I'll try to login from another browser, my previous http session will be expired.
Now we need to add Redis server (v 4.0.9) as storage for http sessions because we need to share sessions between many instances. But I can log in on two Apache Tomcats by the same user and with different sessions. It's bad. I tried several ways to configure it:
- https://www.baeldung.com/spring-session (Annotation configuration)
- Only tomcat config without project changes (redis-session-manager-with-dependencies-2.2.2.jar)
All of this ways doesn't work. Also I found this issue: https://github.com/spring-projects/spring-session/issues/65 And it was implemented two years ago. Can anybody help me?
sessionRegistrybean? - Vedran Pavic