Hi all…I have “Vaadin 10 with Spring Boot” application that I have taken from Vaadin 10 flow starter-application. I want to allow user to access application from one place at a time. So I used maximumSessions(1). Example, from Chrome browser I have logged in with user “XYZ”. Now with the same user (i.e. “XYZ”) I tried to login to Opera browser. So as per configuration shown below, it will expire session of Chrome browser but it is not redirecting to “/login”. It shows message “Invalid JSON response from Server”. Any help would be appreciated!!!.Below is the Spring security configuration:
@Override
protected void configure(HttpSecurity http) throws Exception {
// Not using Spring CSRF here to be able to use plain HTML for the login page
http.csrf().disable()
// Register our CustomRequestCache, that saves unauthorized access attempts, so
// the user is redirected after login.
.requestCache().requestCache(new CustomRequestCache())
// Restrict access to our application.
.and().authorizeRequests()
.antMatchers("/ForgetPassword","/ChangePassword","/login").permitAll()
// Allow all flow internal requests.
.requestMatchers(SecurityUtils::isFrameworkInternalRequest).permitAll()
// Allow all requests by logged in users.
.anyRequest().authenticated()
// Configure the login page.
.and().formLogin().loginPage("/login").permitAll().loginProcessingUrl("/login")
.failureUrl("/login?error")
// Register the success handler that redirects users to the page they last tried
// to access
.successHandler(new SavedRequestAwareAuthenticationSuccessHandler())
// Configure logout
.and().logout().logoutSuccessUrl(LOGOUT_SUCCESS_URL)
.deleteCookies("JSESSIONID")
//.invalidateHttpSession(true)
.and()
.sessionManagement()
//.invalidSessionUrl("/login")
.maximumSessions(1)
//.maxSessionsPreventsLogin(false)
.sessionRegistry(sessionRegistry())
.expiredUrl("/login");
P.S. I asked the same question on stackoverflow (https://stackoverflow.com/questions/51704975/spring-boot-expiredurl-not-working)