stackoom
  简体   繁体   中英

Redirecting to login page after login caused by attempt to logout when session is expired

 原文  2012-05-03 12:14:22       java/ spring/ redirect/ spring-security

Question

I am sorry if the title is not clear enough. Here are the details.

Background

I am working on Spring based application that uses Spring 3.1.1 and Spring security 3.1.0. Here is the relevant fragment of our descriptor: 

<security:http auto-config='true'>      
    <security:intercept-url pattern="/login.jsp*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/login*" access="IS_AUTHENTICATED_ANONYMOUSLY" />
    <security:intercept-url pattern="/**" access="ROLE_USER" />     
    <security:form-login login-page='/login' authentication-failure-url="/login?authfailed=true"/>              
</security:http>

The "sign-out" link on the web page refers to URL like ROOT-URL/j_spring_security_logout . So, clicking on this URL brings us to login page ( login.jsp ) and can login again successfully.

Problem

If user logs-in into the application, waits until session is expired and then tries to sign-out he arrives to login page. This is fine. Then he types correct credentials and clicks login button. Now he is redirected to the same login page where username and password fields are empty instead of enter to the application. The second attempt to log-in succeeds.

Important: this happens only if the user was logged-in before, the session was expired and he tried to log-out. It does not happens for example if user clicks any other link after session expiration. In this case he is redirected to login page and can successfully login from the first attempt.

Analysis

My investigation showed the following. We arrive to the login page twice due to HTTP redirect caused by SavedRequestAwareAuthenticationSuccessHandler.onAuthenticationSuccess() and happens because requestCache contains request to login page. requestCache is variable of type HttpSessionRequestCache that stores "cached" request in session attribute "SPRING_SECURITY_SAVED_REQUEST" .

In normal situation this cache is used for redirecting to page requested by not-authenticated user after his authentication.

But here is what happens in our case. The user logs-in. Then his session is expired. Then he clicks link to log-out. Since session is expired user is redirected to 'j_spring_security_logout' that redirects him to login page.

Somewhere on this way the login URL is cached as "requested", so when user logs in he is redirected to requested URL, ie to login page. When redirect happens the cached URL is removed, so infinite loop does not happen; second attempt to log-in succeeds.

Here are the relevant code reference:

ExceptionTranslationFilter.handleSpringSecurityException() calls sendStartAuthentication() (line 168)

that does the following (lines 183-184): 

    SecurityContextHolder.getContext().setAuthentication(null);
    requestCache.saveRequest(request, response);

But the requested URL at this point is login page. So, the login page is cached.

It looks like the saveRequest() just should not be called at this point, eg this smells as a bug in Spring framework...

I have solution to this problem and I will post it here. But my solution looks as a patch for me, so I hope somebody know the "right" solution.

Thanks in advance.

3 answers

solution1
 1  2012-05-03 13:25:01

<intercept-url pattern="/login.jsp*" access="permitAll" />
<intercept-url pattern="/login*" access="permitAll" />

No reason to put any constraints on the login-page itself.

solution2
 1  2012-05-03 13:41:27

Try This, it works for me : 

<security:form-login 
        login-page="/login.jsp" 
        default-target-url="/home.jsp"
        always-use-default-target="true" 
        authentication-failure-url="/login?authfailed=true"/>

solution3
 0  2016-10-26 02:31:26

Replace: 

.defaultSuccessUrl("/paginas/geral/index.jsf")

by: 

.defaultSuccessUrl("/paginas/geral/index.jsf", true)

http.authorizeRequests() .anyRequest().authenticated() .and() .formLogin() .loginPage("/login.jsf") .permitAll() .usernameParameter("login") .passwordParameter("senha") .defaultSuccessUrl("/paginas/geral/index.jsf", true) .failureUrl("/login.jsf?invalid=true");

it works for me. (spring-security-web: 4.1.3.RELEASE)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Logout redirects user to login page again after user tries login again when session timeouts How to redirect to Login page when Session is expired in Java web application? Redirecting to login when session timeout in JSF/Spring or automatic logout when session deactivate(or idel for a given time) Null pointer exception while redirecting to the login page when the session expires? In Wicket 9, when the user's session expires in certain pages, they are redirected to the login page not the Session Expired page Spring + CAS Redirect to login page after logout How to redirect on login page after logout Spring MVC redirect user to login page once session is expired How to keep flash when redirecting to the login page Kill session and redirect to login page on click of logout button
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM