Spring session management in mvc, Spring security session vs http session

Question

After successful login i want to proceed with further request processing with new url. But the url is invoking exposed service in spring mvc where security configuration doesn't check the session authentication for coming url.Please take a look below code.

<http auto-config="true" use-expressions="true">
    <!-- <intercept-url pattern="/**" access="isAuthenticated()" /> -->
    <intercept-url pattern="/home*" access="isAuthenticated()" />
    <intercept-url pattern="/admin*" access="isAuthenticated()" />
    <form-login login-page="/" default-target-url="/home"
        authentication-failure-url="/accessdenied" always-use-default-target="false"/>
    <logout logout-success-url="/" />
    <anonymous username="guest" granted-authority="ROLE_GUEST" />
    <session-management invalid-session-url="/" session-authentication-error-url="/login.jsp?error=alreadyLogin">
       <concurrency-control max-sessions="1"  expired-url="/login.jsp?error=sessionExpiredDuplicateLogin" error-if-maximum-exceeded="false"/>
    </session-management>
    <remember-me />
</http>

When jsp page submits login authentication J_security_check the target url invoked which subsequently calls interceptor pattern /home* and authenticates the login credentials.

if i'm calling the exposed service before login "/address/userid/" it directly invokes the service method how to make it session bound, if session exist get the data otherwise not.

how different spring security session from http session,how to maintain spring security session like http session in spring mvc.

if i'm adding <intercept-url pattern="/**" access="isAuthenticated()" /> it doesn't work, it doesn't show login jsp as well.Where i am doing wrong please clarify.

How to distinguish userid/pwd in authentication manager as per given below, as single ? takes first parameter.

<authentication-manager>
    <authentication-provider>
        <!-- <user-service> <user name="admin" password="secret" authorities="ROLE_ADMIN,ROLE_USER"/> 
            </user-service> -->
        <jdbc-user-service data-source-ref="dataSource" 
            users-by-username-query="SELECT USER_NAME,USER_PWD, 'true' as enabled from LOGIN_USER where USER_NAME=?"
            authorities-by-username-query="select LOGIN_USER.USER_NAME , LOGIN_USER.ROLE_ID as authorities from LOGIN_USER
            where LOGIN_USER.USER_NAME =?" />
    </authentication-provider>
</authentication-manager>

I have come across few sites it describes only login spring security session management.i couldn't get clarity.Thanks in advance.

Answer 1

我实现了使用拦截器处理程序来检查URI和会话属性，该方法工作正常，但正在spring框架中寻找更好的选项。