Spring security is implemented in the application. You are logging in correctly, logout as well. In the pages below you only enter if you have logged in with the role ROLE_ADMINISTRATOR .
@Override
protected void configure(HttpSecurity http) throws Exception {
http.csrf().disable();
http.authorizeRequests()
// Configuração para todos usuarios do sistema
.antMatchers("/error/**", "/resources/**", "/jsCss/**", "/webjars/**", "/recuperarSenha").permitAll()
// Configuração para todos usuarios com permissão de
// ROLE_ADMINISTRADOR
.antMatchers("/codigo/**", "/subCodigo/**", "/tipoCredito/**", "/tipoCancelamento/**", "/usuario/**",
"/servico/**", "/notaFiscal/**", "/erroAlerta/**", "/credito/**", "/configuracao/**",
"/cnaeSubCodigo/**", "/cnae/**", "/erroAlerta/**", "/atualizacaoMonetariaItem/**",
"/atualizacaoMonetaria/**", "/dashboardAdmin/**", "/porcentagemReter/**")
.access("hasRole('ROLE_ADMINISTRADOR')")
// Configuração para todos usuarios do sistema
.and().formLogin().loginPage("/login").successHandler(loginSucessHandler).permitAll().and().rememberMe()
// Logout
.and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).and().sessionManagement()
.maximumSessions(1).maxSessionsPreventsLogin(true).expiredUrl("/login")
.sessionRegistry(sessionRegistry());
}
I have some questions.
2.Configuration of session time, I could not do. Type if the user does not work with the system, it automatically shifts.
3. I am not able to work with CSRF Attacks , even taking this part of the link code.
On item 3, I'm putting in html pages, but it gives error
<meta name="_csrf" content="${_csrf.token}"/>
<!-- default header name is X-CSRF-TOKEN -->
<meta name="_csrf_header" content="${_csrf.headerName}"/>