Spring Invalid Security Session Through Logout

Question

Spring Invalid Security Session Through Logout

Just a question about Spring security and session invalidation.

When a session is invalid using ConcurrentSessionControlStrategy, the session is removed from SessionRegistry by calling the removeSessionInformation method, however, when the session is invalid due to manual logout, the HttpSession is invalid, but there is no call to SessionRegistry to delete records from there.

I added the HttpSessionEventPublisher as a listener that catches the HttpSessionDestroyedEvent event, but does not call SessionRegistry again.

I worked on this by creating my own implementation of LogoutFilter and adding a handler to manually call removeSessionInformation, but I would prefer to use standard Spring annotations if possible. (NB I cannot use the success-handler-ref field of the standard exit tag because the session is no longer valid, so I cannot access the session ID)

Is there something I am missing here or is it just what Spring missed?

This, by the way, uses Spring Security 3.1.0.

+3

spring security session management

Reene May 02, '12 at 7:50

source share

1 answer

alexkasko · Accepted Answer · 2012-10-23T20:33:09+0000

. SessionRegistry spring bean. ConcurrentSessionControlStrategy , . SecurityContextLogoutHandler session.invalidate(), sessionDestroyed HttpSessionEventPublisher , HttpSessionDestroyedEvent spring HttpSessionEventPublisher SessionRegistry, spring bean.

:

...
SessionRegistry sessionRegistry = new SessionRegistryImpl();
ConcurrentSessionControlStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlStrategy(sessionRegistry);
...

:

@Bean
public SessionRegistry sessionRegistry() {
    return new SessionRegistryImpl();
}
...
ConcurrentSessionControlStrategy concurrentSessionControlStrategy = new ConcurrentSessionControlStrategy(sessionRegistry())
...

Spring Invalid Security Session Through Logout

More articles: