Summary
Using Spring Boot 1.3.6.RELEASE which includes Spring Security 4.0.4.RELEASE. I am configuring maximum sessions using the following configuration,
http.sessionManagement().maximumSessions(1).expiredUrl("/?reason=duplicateLogin");
When another user logs out the user currently logged in, they are redirected to this page but all resources get redirected too, so for example, css/site.css is redirected. Therefore the page doesn't load properly, even refreshing the page causes the same issue.
Actual Behavior
Resources fail to load because everything constantly tries to redirect to '/?reason=duplicateLogin'
Expected Behavior
The page should redirect but resources and other static files should still be loaded correctly.
Configuration
The configuration is a class with SecurityConfiguration extends WebSecurityConfigurerAdapter and a method overriding protected void configure(HttpSecurity http) throws Exception and configuring the session management with http.sessionManagement().maximumSessions(1).expiredUrl("/?reason=duplicateLogin");
Version
1.3.6.RELEASE - Spring Boot 4.0.4.RELEASE - Spring Security
Sample
I don't have any example code to provide.
Comment From: eleftherias
Do the static resources require the user to be authenticated? If that is the case then the user will not be able to access them once their session expires. Try granting access to every user to access the static resources:
http
.authorizeRequests((authz) -> authz
.antMatchers("/css/site.css").permitAll()
//...
Comment From: spring-projects-issues
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.
Comment From: spring-projects-issues
Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.