Spring Security SEC-2130: Add invalid-session-strategy-ref to security:http/security:session-management

Michael Osipov (Migrated from SEC-2130) said:

Right now I can pass invalid-session-url but SimpleRedirectInvalidSessionStrategy does not suit my needs. I have to redeclare the entire SessionManagementFilter. I would like to avoid that by having an invalid-session-strategy-ref attribute.

In the case when both attributes are set, I would raise an exception.

Comment From: priyankanandagopal

Hi..Is there any update on this please.

Comment From: rwinch

You can use <session-management session-authentication-strategy-ref="beanName">. See https://docs.spring.io/spring-security/site/docs/current/reference/htmlsingle/#nsa-session-management-attributes

Comment From: priyankanandagopal

@rwinch The solution provided is for custom invalid session strategy? . I don't think so. Can you please explain your solution.

Comment From: rwinch

Sorry about that...My mistake. I have reopened the ticket.

Comment From: rwinch

Since gh-3808 Users can leverage session-management@invalid-session-strategy-ref since Spring Security 4.2