Spring security - Some questions

Asked

Viewed 53 times

0

I am implemented spring security, in the application. You are logging in correctly, logout too. In the pages below only enters if you have logged in with the scroll ROLE_ADMINISTRADOR.

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.authorizeRequests()
                // Configuração para todos usuarios do sistema
                .antMatchers("/error/**", "/resources/**", "/jsCss/**", "/webjars/**", "/recuperarSenha").permitAll()
                // Configuração para todos usuarios com permissão de
                // ROLE_ADMINISTRADOR
                .antMatchers("/codigo/**", "/subCodigo/**", "/tipoCredito/**", "/tipoCancelamento/**", "/usuario/**",
                        "/servico/**", "/notaFiscal/**", "/erroAlerta/**", "/credito/**", "/configuracao/**",
                        "/cnaeSubCodigo/**", "/cnae/**", "/erroAlerta/**", "/atualizacaoMonetariaItem/**",
                        "/atualizacaoMonetaria/**", "/dashboardAdmin/**", "/porcentagemReter/**")
                .access("hasRole('ROLE_ADMINISTRADOR')")
                // Configuração para todos usuarios do sistema
                .and().formLogin().loginPage("/login").successHandler(loginSucessHandler).permitAll().and().rememberMe()
                // Logout
                .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).and().sessionManagement()
                .maximumSessions(1).maxSessionsPreventsLogin(true).expiredUrl("/login")
                .sessionRegistry(sessionRegistry());

    }

I’m having some doubts.

  1. this part .and(). sessionManagement(). maximumSessions(1). maxSessionsPreventsLogin(true). expiredUrl("/login"). sessionRegistry(sessionRegistry());, sets that one user at a time is logged in, which is working. But the problem is that after logging out, I cannot log in with the same login, then I have to stop the server, to be able to log in again.

2.Session time setting, could not do. Type if the user does not work with the system, it automatically depresses.

3.I am not getting to work with CSRF Attacks, even taking this part of the code http.csrf(). disable();.

About item 3, I’m putting in html pages, but gives error

<meta name="_csrf" content="${_csrf.token}"/>
    <!-- default header name is X-CSRF-TOKEN -->
    <meta name="_csrf_header" content="${_csrf.headerName}"/>
spring spring-security

1 answer

0

I understand that your problems are related to spring-security, but I believe that the best way, for you and who answers, is to do them separately, since your doubts do not have prerequisite/link/direct dependency for clarification.

Answering your question 2:

You can configure for all sessions by putting in your web.xml:

<session-config>
<session-timeout>60</session-timeout>
</session-config>

Or per session, using:

session.setMaxInactiveInterval(60*60);

  • Thanks, but I don’t understand. About the second, that is, about time, I created this class, but it doesn’t work.

  • import javax.servlet.http.Httpsessionevent; import javax.servlet.http.Httpsessionlistener; public class Notafiscaleletronicaapphttpsessionlistener Implements Httpsessionlistener { @ Override public void sessionCreated(Httpsessionevent Event) { Event.getSession(). setMaxInactiveInterval(60); } @ Override public void sessionDestroyed(Httpsessionevent Event) { // Session destroyed } }

  • Tried the first option ?

Browser other questions tagged spring spring-security

You are not signed in. Login or sign up in order to post.