Security SessionFixationProtectionStrategy interfering with session scoped beans

Question

I'm using Spring 3.1.1.Release, Security 3.1.0.Release.

I've added login/logout to my web app, however a session scoped bean is not functioning the way it was. The bean is used to connect to a CMS called CMSConnector.

To authenticate users, I implemented an AuthenticationProvider, and in the authenticate() call, I get the session-scoped CMSConnector and call the CMSConnector.login(). If the CMS login fails, it fails the login.

THE PROBLEM -

If the login is success, @predestroy logout() is called immediately after the successful login. I then found it was the SessionFixationProtectionStrategy is invoking the invalidate the previous session and assign it a new session.

session.invalidate();
session = request.getSession(true); // we now have a new session

The invalidate() is calling the @predestroy method on the session-scoped bean.

So I have temporarily removed the the @predestroy annotation leaving the connection not closed. (VERY BAD PRACTICE.)

What is a work around to resolve the issue?

I tried to create a @PostConstruct and put the login process there, but the @PostConstruct doesn't get called when request.getSession(true) is called.

Thanks!

Jason

Answer 1

I did not solve my original question, but I implemented a workaround - expire session in the session expire object instead of attached with @predestroy.

Answer 2

I think its not the SessionFixationProtectionStrategy but the ConcurrentSessionControlStrategy.

Set max-sessions="-1" for this code snippet