@Override protected void configure(final HttpSecurity http) throws Exception { http.sessionManagement() .sessionCreationPolicy(SessionCreationPolicy.IF_REQUIRED); http.sessionManagement().maximumSessions(2); http.sessionManagement().invalidSessionStrategy(new InvalidSessionStrategy() { @Override public void onInvalidSessionDetected(HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { LOGGER.debug(()->"Invalid session seen"); response.setStatus(HttpServletResponse.SC_FORBIDDEN); } }); http.httpBasic().and() .exceptionHandling().authenticationEntryPoint(authenticationEntryPoint) .and() .authorizeRequests() .antMatchers("/resources/**").permitAll() .antMatchers("/papi/**").permitAll() .antMatchers("/app*").permitAll() .antMatchers("/app/**").permitAll() .antMatchers("/accessDenied*").permitAll() .antMatchers("/api/**").access("hasAnyRole('ROLE_USER','ROLE_ADMIN')") .anyRequest().authenticated() .and() .formLogin() .loginPage("/login") .loginProcessingUrl("/login") .defaultSuccessUrl("/home", true) .failureUrl("/accessDenied") .and() .exceptionHandling().accessDeniedPage("/accessDenied") .and() .logout() .logoutSuccessHandler(logoutSuccessHandler) .clearAuthentication(true) .deleteCookies("JSESSIONID") .invalidateHttpSession(true) .and() .exceptionHandling().accessDeniedPage("/accessDenied") // .and().rememberMe() .and().csrf().disable(); }
@Bean public InvalidSessionStrategy invalidSessionStrategy() { return new AjaxAwareInvalidSessionStrategy( MolgenisLoginController.URI + '?' + MolgenisLoginController.PARAM_SESSION_EXPIRED); }
