Spring security re-authentication on some pages

Question

Spring security re-authentication on some pages

Are there ways to force re-authentication with Spring security when a user is performing some very sensitive operations on certain pages?

+3

java spring spring-security

Nikita Vakhutin June 29. 17 at 14:17

source to share

2 answers

If you are using session based authentication. You can use something like this for this:

@Override
protected void configure(HttpSecurity http) throws Exception {
    http
            .rememberMe()
            .and()
            .authorizeRequests()
                .anyRequest().permitAll()
            .and()
            .formLogin()
                .loginPage("/logout")
                .loginProcessingUrl("/j_spring_security_check")
                .defaultSuccessUrl("/my-profile")
                .usernameParameter("username")
                .passwordParameter("password")
                .failureUrl("/login?error")
            .and()
            .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .logoutSuccessUrl("/login?logout").deleteCookies("JSESSIONID")
                .invalidateHttpSession(true);

}

Spring Security is automatically redirected to the login page if the user doesn't delay the request. So to redirect to .loginPage("/logout")

logout and then redirect to login page after logout.logoutSuccessUrl("/login?logout")

+1

Igor Rybak June 29. 17 at 14:44

source to share

Viacheslav Vedenin · Accepted Answer · 2017-06-29T14:23:55+0000

Use

SecurityContextHolder.clearContext();

or

SecurityContextHolder.getContext().setAuthentication(null);

and

HttpSession session = request.getSession(false);
if (session != null) {
  session.invalidate();
}

Spring security re-authentication on some pages

More articles: