expiredSessionStrategy does not get invoked when spring session expires
seaswaraiyer opened this issue · comments
Describe the bug
When user's session expires and they click on a link(to a html page) or click a button that issues an Ajax API request, I'm expecting expiredSessionStrategy to get invoked since I have it configured under sessionManagement.
To Reproduce
@bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.csrf(..)
.authorizeHttpRequests(..)
.oauth2Login(oauth2 -> {
oauth2
.userInfoEndpoint(userInfo -> userInfo
.oidcUserService(this.oidcUserService())
)
.loginPage("/login.html")
.failureUrl("/loginFailure")
.successHandler(customOauth2SuccessHandler) ;
}
)
.logout(...)
.sessionManagement((sessions) -> sessions
.maximumSessions(1)
.sessionRegistry(this.sessionRegistry())
.expiredSessionStrategy( event ->
{
String URI = event.getRequest().getRequestURI();
System.out.println("URI="+URI);
if (URI.endsWith(".html"))
event.getResponse().sendRedirect("/login.html?msgCode=4");
else
{
event.getResponse().setContentType("application/json");
event.getResponse().sendError(440, "Session has expired. Please login again !");
}
}
)
//.expiredUrl("/login.html?msgCode=4")
);
return http.build();
}
Expected behavior
When user's session expires and they click on a link(to a html page) or click a button that issues an Ajax API request, I'm expecting expiredSessionStrategy to get invoked since I have it configured under sessionManagement.
expiredUrl redirects to a URL and that does not work for Ajax API requests. Hence I'm trying to use expiredSessionStrategy.
Sample
A link to a GitHub repository with a minimal, reproducible sample
Note: I posted the question on stackoverflow(link shared above), but nobody from the spring session team responded. I turned debug on for all the spring session packages, but I didn't see anything in the logs related to expiredSessionStrategy. I looked at the Spring session documentation and I don't see much verbiage on expiredSessionStrategy there either.
If this is not a bug, then please let me know the reason why expiredSessionStrategy is not getting invoked. Please also let me know how to send a custom response to an Ajax API request upon session expiry since I cannot use expiredUrl.
Reports that include a sample will take priority over reports that do not.
At times, we may require a sample, so it is good to try and include a sample up front.
Hi, @seaswaraiyer. The code that you shared is from Spring Security, you should search and/or create an issue on its issue tracker.
I turned debug on for all the spring session packages,
Try turning TRACE for Spring Security packages