Spring Security SEC-1894: Add XML support for configuring custom InvalidSessionStrategy

Victor Polischuk (Migrated from SEC-1894) said:

There is no simple way to setup custom strategy on session invalidation. While SessionManagementFilter has setter for InvalidSessionStrategy - it cannot be used in XML configuration.

It would be great if org.springframework.security.config.http.HttpConfigurationBuilder recognized "invalid-session-strategy-ref" option, like "session-authentication-strategy-ref" which is already implemented.

Related gh-2000

Comment From: djechelon

Upvoted because I am currently blocked. With Security 4.1.3 I can't send AJAX-aware errors to POST requests without reconfiguring the invalid session strategy.

I have investigated and the CsrfFilter is injected with a DelegatingAccessDeniedHandler that is pre-populated with a map of access denied handlers.

Currently the map contains only a mapping between MissingCsrfTokenException.class and an invalidSessionDeniedHandler that ultimately is a redirect.

The result is that in my setup (CSRF enabled and custom authentication failure handler) I cannot send a proper AJAX response to invalid CSRF, which occurs when a session expires.