I was going through the Spring Security 6.0.3 documentation, as per the RequestCache behavior it should redirect me to the saved url before I got authenticated. But when I set the concurrent session inValidSessionUrl to "/" it is redirecting me to the "/" address.
What I was expecting this condition should only be invoked if the session has been expired or concurrent session is encountered. But, if I am logging in and going to an endpoint which is secured and saved in RequestCache it should directly go to the url as per default behavior.
I think with new login attempt which is abiding the session management policies I have set, it should let me continue to the URL saved in RequestCache. Any thoughts? or Please correct me if my understanding is wrong.
httpSecurity.authorizeHttpRequests(request ->
request.requestMatchers("/css/**").permitAll()
.requestMatchers("/api/**").authenticated()
.anyRequest().hasRole("USER"))
.requiresChannel(channelRequestMatcherRegistry ->
channelRequestMatcherRegistry.requestMatchers("/secure/**").requiresSecure())
.formLogin()
.and()
.sessionManagement(httpSecuritySessionManagementConfigurer ->
httpSecuritySessionManagementConfigurer.invalidSessionUrl("/")
.sessionConcurrency(concurrencyControlConfigurer ->
concurrencyControlConfigurer.maximumSessions(1)
.maxSessionsPreventsLogin(true)))
.build();
Comment From: jzheaux
Thanks, @nabeeltariqbhatti, sorry you are having trouble. To configure Concurrency Control, you need to also publish an HttpSessionEventPublisher.
Does that suffice for what you'd like to see in the guide?
Comment From: nabeeltariqbhatti
Hi @jzheaux, I am publishing it as you can see below, Pardon for not adding it with the question. My point is a bit different. @Bean SecurityFilterChain httpSecurity(HttpSecurity httpSecurity) throws Exception {
HttpSessionRequestCache httpSessionRequestCache = new HttpSessionRequestCache();
httpSessionRequestCache.setMatchingRequestParameterName("continue");
return
httpSecurity.authorizeHttpRequests(request ->
request.requestMatchers("/css/**")
.permitAll()
.requestMatchers("/api/**")
.authenticated()
.anyRequest()
.hasRole("USER")
)
.requiresChannel(
channelRequestMatcherRegistry ->
channelRequestMatcherRegistry.requestMatchers("/secure/**").requiresSecure()
)
.formLogin()
.and()
.sessionManagement(
httpSecuritySessionManagementConfigurer ->
httpSecuritySessionManagementConfigurer.invalidSessionUrl("/")
.sessionConcurrency(concurrencyControlConfigurer -> concurrencyControlConfigurer.maximumSessions(1)
.maxSessionsPreventsLogin(true))
).build();
}
@Bean
HttpSessionEventPublisher httpSessionEventPublisher(){
return new HttpSessionEventPublisher();
}
My question is if we have hit the "/api/demo" the secured endpoint before authentication it gets saved in the RequestCache and user will be redirected once they get authenticated.
But when we set the inValidSessionUrl property by using the SessionManagent then upon new login RequestCache does not behave as expected it goes to the inValidSessionUrl. However, I think it should go to the "/api/demo" even if "inValidSessionUrl" property is set, because new login is not expired session.
Comment From: jzheaux
It's possible like you said that we are talking about two different things. Please see this sample that I've created and try the following:
- Checkout the
gh-13117branch - Run
./gradlew :servlet:spring-boot:java:hello-security:bootRun - Navigate to http://localhost:8080/index
- Login with
user/password - See that it redirects to
/index - Logout
You can see that I've set the concurrency filter as you described, but that I cannot reproduce the error as I've understood it so far. If you can either use this sample or produce a minimal GitHub sample of your own to illustrate the issue, I think we'll get a bit further.
Comment From: nabeeltariqbhatti
Hi @jzheaux,
Thanks for understanding I have created a sample project here.
Please run and hit the url /demo. Now, as per my understanding new login should not be treated as an Invalid Session and it should redirect me to the /demo URL after getting successfully authenticated right? But even on fresh login its redirecting me towards the inValidSession Url which is /invalid . Should not it let the user continue normally even if concurrent session management is being done in the application? This invalidSession should only be visited in case user was logged in and now trying to access but session has been expired or may be other cases as well.
Comment From: jzheaux
Thanks for the sample. Unfortunately, I still am not able to reproduce the behavior. Here are the steps that I followed with your sample:
- Run
SsGh13117Application#main - Navigate to http://localhost:8080/demo
- Login with
bill/password - Saw that it redirected to
/demo
Are you following different steps to get the behavior you are describing? If they are the same as the one's I just posted, perhaps there is a browser caching issue of some sort that would be alleviated with an Incognito window.
Comment From: nabeeltariqbhatti
Thanks, I think you're right. Please close it.
On Tue, 9 May 2023, 4:56 am Josh Cummings, @.***> wrote:
Thanks for the sample. Unfortunately, I still am not able to reproduce the behavior. Here are the steps that I followed with your sample:
- Run SsGh13117Application#main
- Navigate to http://localhost:8080/demo
- Login with bill/password
- Saw that it redirected to /demo
Are you following different steps to get the behavior you are describing? If they are the same as the one's I just posted, perhaps there is a browser caching issue of some sort that would be alleviated with an Incognito window.
— Reply to this email directly, view it on GitHub https://github.com/spring-projects/spring-security/issues/13117#issuecomment-1539045882, or unsubscribe https://github.com/notifications/unsubscribe-auth/AMD2QQQUSZIH2CRH7N5NQBTXFGB3JANCNFSM6AAAAAAXRRZZMA . You are receiving this because you were mentioned.Message ID: @.***>