Search code examples
javaspringspring-mvcspring-securityhttpsession

HttpSession remains after server restart

I'm learning Spring. Doing the login/logout functionality. This is what my controller looks like:

@RequestMapping(value="/successfulLoginAuth", method=RequestMethod.GET)
public ModelAndView postHttpLogin(HttpSession session, Authentication authInfo) 
{

ModelAndView mav = new ModelAndView();
mav.setViewName("redirect:/index.html");
session.setAttribute("authInfo", authInfo);

return mav;

}

The log in is performed via Spring Security using a dao service which I have implemented. That works fine.

This is the content of index.jsp:

<% 
    HttpSession session1 = request.getSession(false);
    Authentication authInfo; 
    if( (session1 != null) && 
        ( (authInfo = (Authentication)session1.getAttribute("authInfo")) != null) 
      )
    {

        out.print(" yo " + authInfo.getName() + " " + authInfo.getAuthorities().iterator().next().getAuthority());
    }
    else
    {
%>    
<a href="${pageContext.request.contextPath}/registration">New? Sign Up!</a><br/>

<a href="${pageContext.request.contextPath}/login">Existing? Sign In!</a><br/>
<%} %>

When i log in, and restart the server, I'm still logged in. Shouldn't the session information be lost after a server restart? If i restart the browser, it works as it should (ie the session info is lost).

This is my Spring Security configuration:

<http auto-config="true"  use-expressions="true">
        <intercept-url pattern="/" access="permitAll" />
        <intercept-url pattern="/logout" access="permitAll" />
        <intercept-url pattern="/accessdenied" access="permitAll" />
        <form-login login-page="/login" default-target-url="/successfulLoginAuth" authentication-failure-url="/accessdenied" />
        <logout logout-success-url="/logout" />
    </http>

<authentication-manager>
    <authentication-provider user-service-ref="myUserDetailsService"></authentication-provider>
  </authentication-manager>
Solution

  • I'm assuming you are using Tomcat, which uses a Manager component to persist sessions between application life-cycles. You can change all those settings in the Manager component configuration.

    I think it also depends on the kind of changes you do. Eclipse's plugin for Tomcat server will decide if it should flush the serialized HttpSessions or not.