stackoom
  简体   繁体   中英

Spring security - expireNow() on session does not do anything

 原文  2015-09-03 08:50:18       java/ spring/ session/ spring-security

Question

We are using a "ConcurrentSessionControlAuthenticationStrategy", with the following configuration: 

    <bean
                class="org.springframework.security.web.authentication.session.ConcurrentSessionControlAuthenticationStrategy">
                <constructor-arg ref="clusteredSessionRegistryImpl" />
                <property name="maximumSessions" value="1" />
                <property name="exceptionIfMaximumExceeded" value="false" />
            </bean>

When a user logs in, and then logs in for the second time from a different browser - we can see the following code being invoked (as expected): 

 protected void allowableSessionsExceeded(List<SessionInformation> sessions, int allowableSessions,
        SessionRegistry registry) throws SessionAuthenticationException {
    ...
    leastRecentlyUsed.expireNow();
}

The "leastRecentlyUsed" is the actual older session (as expected). Now, All is well but the fact that this expiration does not kill eventually the older session, the other browser session that should be expired can still use the application in concurrency with the newer session in the other browser. it seems like the process of the actual destruction of the session does not take place.

1) Who\\What is responsible of destroying the session?

2) How can we fix this issue?

1 answers

solution1
 1  2016-05-23 12:40:27

I had a similar problem and it turned out to be the browser cache. See this question here

In my case, I cleared the cache and noticed that the browser that was supposed to be logged out eventually was unable to access the content of my web App.

Update

Eventually found out that we use two configurations in our backend for the security context.

I had to make the Session Registry static and call the same instance in both configurations. 

private static final SessionRegistry SESSION_REGISTRY = new SessionRegistryImpl();

Then setup a bean: 

@Bean
public static SessionRegistry sessionRegistry() {
    return SESSION_REGISTRY;
}

And finally use the same instance in both configurations: 

httpSecurity
    ... // you configuration
    .sessionManagement()
        .maximumSessions(5)
        .maxSessionsPreventsLogin(true)
    .sessionRegistry(sessionRegistry()).and()

Hope this helps someone else :)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Does Spring Security require the use of Spring Session? Spring Security Session handling how does it handle session id Spring security session creation Spring Boot, Session Security Invalidate session spring security Spring Security session domain Does Spring Security do automatic filter Injection? Invalidate spring security session What does the authorizeRequests in Spring Security do? Spring boot security does not redirect after session expires
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM