Clever Geek Handbook

Spring Security logout does not cancel session

My enhanced Pet Clinic app requires security.

The logout function does not work at this time. I have a GET version (simple link) and a POST version (hidden form represented by a link).

After logging in, whichever method I use to log out, once I try to log in, no new login is allowed.

I believe it has something to do with this section:

.sessionManagement()
    .maximumSessions(1)
    .maxSessionsPreventsLogin(true)
    .expiredUrl("/login?expired")

but I thought this section:

.logout()
    .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
    .logoutSuccessUrl("/")
    .permitAll()

will invalidate my HttpSession

so that next login is allowed, but it doesn't.

When I look at the logs, these are different lines when I enter the second time:

s.CompositeSessionAuthenticationStrategy : Delegating to org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy@2cc9f3de
w.a.UsernamePasswordAuthenticationFilter : Authentication request failed: org.springframework.security.web.authentication.session.SessionAuthenticationException: Maximum sessions of 1 for this principal exceeded
w.a.UsernamePasswordAuthenticationFilter : Updated SecurityContextHolder to contain null Authentication
w.a.UsernamePasswordAuthenticationFilter : Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@16c670c3

.a.SimpleUrlAuthenticationFailureHandler: Redirect to / login? error

Any advice is appreciated.

My app can be found at https://github.com/arnaldop/enhanced-pet-clinic .

Here's the code from my subclass WebSecurityConfigurerAdapter

:

private static final String[] UNSECURED_RESOURCE_LIST =
    new String[] {"/", "/resources/**", "/assets/**", "/css/**", "/webjars/**",
        "/images/**", "/dandelion-assets/**", "/unauthorized", "/error*"};

@Override
public void configure(WebSecurity web) throws Exception {
    web
        .ignoring()
            .antMatchers(UNSECURED_RESOURCE_LIST);
}

@Override
protected void configure(HttpSecurity http) throws Exception {
    //@formatter:off
    http
        .authorizeRequests()
            .antMatchers(UNSECURED_RESOURCE_LIST)
                .permitAll()
            .antMatchers("/owners/**", "/vets/**", "/vets*").hasRole("USER")
            .antMatchers("/manage/**").hasRole("ADMIN")
            .anyRequest()
                .permitAll()
        .and()
            .formLogin()
                .loginPage("/login")
                    .failureUrl("/login?error")
                    .permitAll()
        .and()
            .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/")
                .permitAll()
        .and()
            .requiresChannel()
                .antMatchers("/login", "/owners/**", "/vets/**", "/vets*", "/manage/**")
                    .requiresSecure()
        .and()
            .exceptionHandling()
                .accessDeniedPage("/router?q=unauthorized")
        .and()
            .sessionManagement()
                .maximumSessions(1)
                .maxSessionsPreventsLogin(true)
                .expiredUrl("/login?expired")
        ;
    //@formatter:on
}
+1


source to share


1 answer


I had the same problem on spring boot which I fixed by doing HttpSessionEventPublisher



// Register HttpSessionEventPublisher
    @Bean
    public static ServletListenerRegistrationBean httpSessionEventPublisher() {
        return new ServletListenerRegistrationBean(new HttpSessionEventPublisher());
    }
+2


source






More articles:


All Articles