Spring security - Some doubts

0

Spring security is implemented in the application. You are logging in correctly, logout as well. In the pages below you only enter if you have logged in with the role ROLE_ADMINISTRATOR .

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable();
        http.authorizeRequests()
                // Configuração para todos usuarios do sistema
                .antMatchers("/error/**", "/resources/**", "/jsCss/**", "/webjars/**", "/recuperarSenha").permitAll()
                // Configuração para todos usuarios com permissão de
                // ROLE_ADMINISTRADOR
                .antMatchers("/codigo/**", "/subCodigo/**", "/tipoCredito/**", "/tipoCancelamento/**", "/usuario/**",
                        "/servico/**", "/notaFiscal/**", "/erroAlerta/**", "/credito/**", "/configuracao/**",
                        "/cnaeSubCodigo/**", "/cnae/**", "/erroAlerta/**", "/atualizacaoMonetariaItem/**",
                        "/atualizacaoMonetaria/**", "/dashboardAdmin/**", "/porcentagemReter/**")
                .access("hasRole('ROLE_ADMINISTRADOR')")
                // Configuração para todos usuarios do sistema
                .and().formLogin().loginPage("/login").successHandler(loginSucessHandler).permitAll().and().rememberMe()
                // Logout
                .and().logout().logoutRequestMatcher(new AntPathRequestMatcher("/logout")).and().sessionManagement()
                .maximumSessions(1).maxSessionsPreventsLogin(true).expiredUrl("/login")
                .sessionRegistry(sessionRegistry());

    }

I have some questions.

  • is part .and (). sessionManagement (). maximumSessions (1) .maxSessionsPreventsLogin (true) .expiredUrl ("/ login") sessionRegistry (sessionRegistry ()); user is logged in, what is working. But the problem is that after logging out, I can not log in with the same login, so I have to stop the server in order to log in again.
  • 2.Configuration of session time, I could not do. Type if the user does not work with the system, it automatically shifts.

    3. I am not able to work with CSRF Attacks , even taking this part of the link code.

    On item 3, I'm putting in html pages, but it gives error

    <meta name="_csrf" content="${_csrf.token}"/>
        <!-- default header name is X-CSRF-TOKEN -->
        <meta name="_csrf_header" content="${_csrf.headerName}"/>
    
        
    asked by anonymous 10.01.2018 / 21:17

    1 answer

    0

    I understand that your issues are related to spring-security, but I believe that the best way for you and the respondent is to do them separately, as your questions do not have a prerequisite / link / dependency for clarification.

    Answering your question 2:

    You can configure for all sessions by placing in your web.xml:

    <session-config>
    <session-timeout>60</session-timeout>
    </session-config>
    

    Or per session, using:

    session.setMaxInactiveInterval(60*60);
    
        
    13.01.2018 / 05:40