Most likely your single sign on session is still enabled, since its completely independent of an application's session, and you're just being automatically logged back into the application.
On Wed, Jun 10, 2009 at 5:07 PM, Xuejin Ruan <[email protected]> wrote: > > I have an appliction implementing Spring Security with CAS. I am trying to > set session time out in web.xml file so that when the application is > inactive for certain minutes, it will trigger session timeout and the user > need to be reauthenticated. Without integrating the application with CAS, > session timeout works fine for Spring Security as expected. However, after > integrating it with CAS, session timeout doesn't seem to be working, and I > could still navigate to secured page even after the page being inactive for > more than the time I set in session timeout config. > > What I did was to define the following in web.xml file (examples provided > in > http://idms.rutgers.edu/cas/sample_spring_security.shtml): > > <listener> > > > <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> > </listener> > ...... > <session-config> > <session-timeout>1</session-timeout> > </session-config> > > Am I missing anything? > > Thanks in advance for any advice. > > Xuejin > > Below is my web.xml: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > <?xml version="1.0" encoding="UTF-8"?> > <web-app xmlns="http://java.sun.com/xml/ns/j2ee"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee > http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"; version="2.4"> > > <display-name>Spring Security Tutorial Application</display-name> > > <context-param> > <param-name>contextConfigLocation</param-name> > <param-value> > classpath:applicationContext-business.xml > classpath:gov/pc/portal/springsecurity/spring.xml > /WEB-INF/applicationContext-security.xml > </param-value> > </context-param> > > <context-param> > <param-name>log4jConfigLocation</param-name> > <param-value>/WEB-INF/classes/log4j.properties</param-value> > </context-param> > > <context-param> > <param-name>webAppRootKey</param-name> > > > <param-value>C:\apache-tomcat-6.0.18\apache-tomcat-6.0.18\webapps\SpringSecurityAnotherTest\</param-value> > </context-param> > > > <filter> > <filter-name>springSecurityFilterChain</filter-name> > > > <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class> > </filter> > > <filter-mapping> > <filter-name>springSecurityFilterChain</filter-name> > <url-pattern>/*</url-pattern> > </filter-mapping> > > <listener> > > > <listener-class>org.springframework.web.context.ContextLoaderListener</listener-class> > </listener> > > > <listener> > > > <listener-class>org.springframework.security.ui.session.HttpSessionEventPublisher</listener-class> > </listener> > > <listener> > > > <listener-class>org.springframework.web.util.Log4jConfigListener</listener-class> > </listener> > > <servlet> > <servlet-name>bank</servlet-name> > > > <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class> > <load-on-startup>1</load-on-startup> > </servlet> > > <servlet-mapping> > <servlet-name>bank</servlet-name> > <url-pattern>*.html</url-pattern> > </servlet-mapping> > > <!-- Test on session timeout configuration --> > <session-config> > <session-timeout>1</session-timeout> > </session-config> > > <welcome-file-list> > <welcome-file>index.jsp</welcome-file> > </welcome-file-list> > > </web-app> > ~~~~~~~~~~~~~~~~~~~~~~~ > > Below is applicationContext-security.xml: > > *************************** > <?xml version="1.0" encoding="UTF-8"?> > > <beans xmlns="http://www.springframework.org/schema/beans"; > xmlns:sec="http://www.springframework.org/schema/security"; > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > xmlns:p="http://www.springframework.org/schema/p"; > xsi:schemaLocation="http://www.springframework.org/schema/beans > http://www.springframework.org/schema/beans/spring-beans-2.0.xsd > http://www.springframework.org/schema/security > http://www.springframework.org/schema/security/spring-security-2.0.xsd";> > > <sec:http entry-point-ref="casProcessingFilterEntryPoint"> > <sec:intercept-url pattern="/secure/extreme/**" access="ROLE_SUPERVISOR" > requires-channel="https"/> > <sec:intercept-url pattern="/secure/**" access="ROLE_USER" /> > <sec:intercept-url pattern="/listAccounts.html" > access="IS_AUTHENTICATED_REMEMBERED" /> > <sec:intercept-url pattern="/post.html" access="ROLE_TELLER" /> > <sec:logout > logout-success-url="https://DPRG110.ad.co.pierce.wa.us:8443/cas/logout"/> > <sec:concurrent-session-control max-sessions="1" > exception-if-maximum-exceeded="true"/> <!--This will only allow one user to > login at one time--> > </sec:http> > > > <sec:authentication-manager alias="authenticationManager"/> > > <!--CAS --> > > <bean id="casProcessingFilterEntryPoint" > class="org.springframework.security.ui.cas.CasProcessingFilterEntryPoint"> > <property name="loginUrl" > value="https://DPRG110.ad.co.pierce.wa.us:8443/cas/login"/> > <property name="serviceProperties" ref="serviceProperties"/> > </bean> > > <bean id="serviceProperties" > class="org.springframework.security.ui.cas.ServiceProperties"> > <property name="service" > value=" > https://DPRG110.ad.co.pierce.wa.us:8443/SpringSecurityTest/j_spring_cas_security_check > "/> > <property name="sendRenew" value="false"/> > </bean> > > > <bean id="casAuthenticationProvider" > > class="org.springframework.security.providers.cas.CasAuthenticationProvider"> > <sec:custom-authentication-provider /> > <property name="userDetailsService" ref="userService"/> > <property name="serviceProperties" ref="serviceProperties" /> > <property name="ticketValidator"> > <bean > class="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"> > <constructor-arg index="0" > value="https://DPRG110.ad.co.pierce.wa.us:8443/cas"; /> > <property name="proxyGrantingTicketStorage" > ref="proxyGrantingTicketStorage" /> > <property name="proxyCallbackUrl" > value="https://DPRG110.ad.co.pierce.wa.us:8443/cas/secure/receptor"; /> > </bean> > </property> > <property name="key" value="changeit"/> > </bean> > > <bean id="casProcessingFilter" > class="org.springframework.security.ui.cas.CasProcessingFilter" > p:authenticationManager-ref="authenticationManager" > p:authenticationFailureUrl="/index.jsp" > p:alwaysUseDefaultTargetUrl="false" > p:filterProcessesUrl="/j_spring_cas_security_check" > p:defaultTargetUrl="/" > > <sec:custom-filter after="CAS_PROCESSING_FILTER"/> > </bean> > > > <bean id="proxyGrantingTicketStorage" > class="org.jasig.cas.client.proxy.ProxyGrantingTicketStorageImpl" /> > > <sec:authentication-provider user-service-ref="userService" /> > > <!-- Password Encoder --> > <bean id="passwordEncoder" > > class="org.springframework.security.providers.encoding.Md5PasswordEncoder"/> > > <bean id="userService" > class="gov.pc.portal.springsecurity.PortalUserService"> > <property name="dataSource" ref="portalDataSource"/> > <property name="applicationId" value="107"/> > </bean> > </beans> > > > > -- > View this message in context: > http://www.nabble.com/Session-timeout-for-Spring-Security-with-CAS-tp23971062p23971062.html > Sent from the CAS Users mailing list archive at Nabble.com. > > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
