Clever Geek Handbook

Disable Remember-Me in Spring Security and Tomcat

I wonder if there is a way to disable mem-me in Spring Security? The scenario I want to implement is quite common: after closing the browser window, I would like the user's session to expire. It seems strange, but it doesn't work with Tomcat 7 and Spring Security 3.1. We are using auto-config in the Spring Security configuration file, but the mem-me element is missing.

What's the best solution for it to work? Thanks in advance!

Update Here is a use case to clarify my problem:

  • User enters a restricted area, say /secure.html
  • Then it closes the browser without manually logging out.
  • It opens the browser again and goes directly to /secure.html.
  • Current Spring Behavior: The page renders successfully. Expected Behavior: Redirect to the login page.

New Symptoms for Differential Diagnosis: User is probably re-authenticated because JSESSIONID is being closed / opened in the same browser. How can I force Tomcat or Spring to create a new session for each browser session?

Update Snippet Spring Security Configuration:

<http auto-config="true">
    <anonymous key="anonymous-security" />
    <intercept-url pattern="/auth/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <intercept-url pattern="/**" access="ROLE_ADMIN" />
    <form-login login-page="/auth/login.html" 
                default-target-url="/auth/default.html"
                authentication-failure-url="/auth/failed.html" />
    <logout logout-success-url="/auth/logout.html" delete-cookies="JSESSIONID" />
</http>

Update The documentation states that there is no default configuration in auto-config = "true" since 3.0 (we are using 3.1):

Prior to 3.0, this list also included remember-me functionality. This can lead to some confusing bugs with some configurations and was removed in 3.0.

What's wrong with my web app?

+3


source to share


4 answers


Why don't you just log out of the existing user by redirecting it to: / j_spring_security_logout?



0


source


In my implementation with the latest Spring Security and Tomcat 6, I am using the following configuration: is it similar to yours?



<http use-expressions="true" access-denied-page="/Error.xhtml">
    <intercept-url access="isAuthenticated()" pattern="/secure.xhtml"/>               
    <form-login />
    <logout invalidate-session="true" logout-success-url="/search.xhtml"/>
</http>
0


source


You can try adding logouthandler

to set up your local session:

<!-- Logout handler terminating local session -->
<bean id="logoutHandler" class="org.springframework.security.web.authentication.logout.SecurityContextLogoutHandler">
    <property name="invalidateHttpSession" value="true" />
</bean>

It actually defaults to true, so you probably don't need to set the property.

0


source


Clarifying the problem:

I faced the same problem: my browser will remember my user.

Usually: after logging in to access the restricted area, close the browser, then close it again and enter the same restricted area that I will let me access it when I expect you to be prompted for credentials.

One important thing I noticed after playing the game is this behavior is NOT JOINT across browsers :

  • Eclipse plug-in browser remembers after closing
  • Chrome remembers after closing
  • IE (9) DOES NOT remember after closing
  • Firefox (16.0.1) DOES NOT remember after closing
  • Safari (5.1.7 for Windows) DOES NOT remember after closing

Other browser types and versions can be checked ...

Decision:

  • A workaround might be to try to detect when the user closes their browser and force a logout when this happens. Not too sure how much this is possible.

There might be a better solution, I'll update this answer if I find it.

0


source






More articles:


All Articles