I have an appliction implementing Spring Security with CAS. I am trying to set session time out in web.xml file so that when the application is inactive for certain minutes, it will trigger session timeout and the user need to be reauthenticated. Without integrating the application with CAS, session timeout works fine for Spring Security as expected. However, after integrating it with CAS, session timeout doesn't seem to be working, and I could still navigate to secured page even after the page being inactive for more than the time I set in session timeout config.
What I did was to define the following in web.xml file (examples provided in http://idms.rutgers.edu/cas/sample_spring_security.shtml): <listener> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> </listener> ...... <session-config> <session-timeout>1</session-timeout> </session-config> Am I missing anything? Thanks in advance for any advice. Xuejin Below is my web.xml: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://java.sun.com/xml/ns/j2ee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> <display-name>Spring Security Tutorial Application</display-name> <context-param> <param-name>contextConfigLocation</param-name> <param-value> classpath:applicationContext-business.xml classpath:gov/pc/portal/springsecurity/spring.xml /WEB-INF/applicationContext-security.xml </param-value> </context-param> <context-param> <param-name>log4jConfigLocation</param-name> <param-value>/WEB-INF/classes/log4j.properties</param-value> </context-param> <context-param> <param-name>webAppRootKey</param-name> <param-value>C:\apache-tomcat-6.0.18\apache-tomcat-6.0.18\webapps\SpringSecurityAnotherTest\</param-value> </context-param> <filter> <filter-name>springSecurityFilterChain</filter-name> <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> </filter> <filter-mapping> <filter-name>springSecurityFilterChain</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <listener> <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> </listener> <listener> <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> </listener> <listener> <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> </listener> <servlet> <servlet-name>bank</servlet-name> <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> <load-on-startup>1</load-on-startup> </servlet> <servlet-mapping> <servlet-name>bank</servlet-name> <url-pattern>*.html</url-pattern> </servlet-mapping> <!-- Test on session timeout configuration --> <session-config> <session-timeout>1</session-timeout> </session-config> <welcome-file-list> <welcome-file>index.jsp</welcome-file> </welcome-file-list> </web-app> ~~~~~~~~~~~~~~~~~~~~~~~ Below is applicationContext-security.xml: *************************** <?xml version="1.0" encoding="UTF-8"?> <beans xmlns="http://www.springframework.org/schema/beans"; xmlns:sec="http://www.springframework.org/schema/security"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xmlns:p="http://www.springframework.org/schema/p"; xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.xsd";> <sec:http entry-point-ref="casProcessingFilterEntryPoint"> <sec:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR" requires-channel="https"/> <sec:intercept-url pattern="/secure/**" access="ROLE_USER" /> <sec:intercept-url pattern="/listAccounts.html" access="IS_AUTHENTICATED_REMEMBERED" /> <sec:intercept-url pattern="/post.html" access="ROLE_TELLER" /> <sec:logout logout-success-url="https://DPRG110.ad.co.pierce.wa.us:8443/cas/logout"/> <sec:concurrent-session-control max-sessions="1" exception-if-maximum-exceeded="true"/> <!--This will only allow one user to login at one time--> </sec:http> <sec:authentication-manager alias="authenticationManager"/> <!--CAS --> <bean id="casProcessingFilterEntryPoint" class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> <property name="loginUrl" value="https://DPRG110.ad.co.pierce.wa.us:8443/cas/login"/> <property name="serviceProperties" ref="serviceProperties"/> </bean> <bean id="serviceProperties" class="org.springframework.security.ui.cas.ServiceProperties"> <property name="service" value="https://DPRG110.ad.co.pierce.wa.us:8443/SpringSecurityTest/j_spring_cas_security_check"/> <property name="sendRenew" value="false"/> </bean> <bean id="casAuthenticationProvider" class="org.springframework.security.providers.cas.CasAuthenticationProvider"> <sec:custom-authentication-provider /> <property name="userDetailsService" ref="userService"/> <property name="serviceProperties" ref="serviceProperties" /> <property name="ticketValidator"> <bean class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> <constructor-arg index="0" value="https://DPRG110.ad.co.pierce.wa.us:8443/cas"; /> <property name="proxyGrantingTicketStorage" ref="proxyGrantingTicketStorage" /> <property name="proxyCallbackUrl" value="https://DPRG110.ad.co.pierce.wa.us:8443/cas/secure/receptor"; /> </bean> </property> <property name="key" value="changeit"/> </bean> <bean id="casProcessingFilter" class="org.springframework.security.ui.cas.CasProcessingFilter" p:authenticationManager-ref="authenticationManager" p:authenticationFailureUrl="/index.jsp" p:alwaysUseDefaultTargetUrl="false" p:filterProcessesUrl="/j_spring_cas_security_check" p:defaultTargetUrl="/" > <sec:custom-filter after="CAS_PROCESSING_FILTER"/> </bean> <bean id="proxyGrantingTicketStorage" class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" /> <sec:authentication-provider user-service-ref="userService" /> <!-- Password Encoder --> <bean id="passwordEncoder" class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/> <bean id="userService" class="gov.pc.portal.springsecurity.PortalUserService"> <property name="dataSource" ref="portalDataSource"/> <property name="applicationId" value="107"/> </bean> </beans> -- View this message in context: http://www.nabble.com/Session-timeout-for-Spring-Security-with-CAS-tp23971062p23971062.html Sent from the CAS Users mailing list archive at Nabble.com. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
