spring security - Order of Java Config SecurityBuilder's -


i'm developing web application unsing spring security 4.0.0's java config instead of xml config. i'm using objectpostprocessors customize of spring security's beans, notably session consurrency ones (to achive immediate invalidation of session user logs in again, opposed spring's standard behavior of invalidating @ next request).

it's working expected of times, when restart application seems not beans modified want.

are securitybuilders processed in specific order or instead processed ramdom order?

edit:

my config

@enablewebsecurity public class securityconfig extends abstractcaswebsecurityconfigureradapter {      public securityconfig() {         super(true, false, true);     }      @autowired     private environment env;      // need custom sessionregistry there's no way ahold of 1 created configurer.     @bean     public sessionregistry sessionregistry() {         return new sessionregistryimpl();     }      // need custom httpsessioncsrftokenrepository there's no way ahold of 1 created configurer.     @bean     public csrftokenrepository csrftokenrepository() {         return new httpsessioncsrftokenrepository();     }      // our custom concurrentsessioncontrolauthenticationstrategy invalidates session     @bean     public sessioninvalidatingconcurrentsessioncontrolauthenticationstrategy myconcurrentsessioncontrolauthenticationlistener()     {         // have recreate logouthandlers because need call them         // before invalidating session          final logouthandler [] logouthandlers = new logouthandler [] {                  new cookieclearinglogouthandler("jsessionid"),                 new csrflogouthandler(csrftokenrepository())                 //, new securitycontextlogouthandler() // seems create problems redirecting same page caused login request                 };             sessioninvalidatingconcurrentsessioncontrolauthenticationstrategy mine = new sessioninvalidatingconcurrentsessioncontrolauthenticationstrategy(sessionregistry(), logouthandlers);         mine.setexceptionifmaximumexceeded(false);         mine.setmaximumsessions(1);         return mine;     }      @override     public void configure(websecurity web) throws exception {         super.configure(web);          boolean devmode = this.env.acceptsprofiles("development");          final string [] ignoredpaths = devmode             ? new string [] {"/webjars/**", "/static/**", "/bower_components/**" }              : new string [] {"/webjars/**", "/static/**" };          web             .ignoring()                 .antmatchers(ignoredpaths)                 .and()             .debug(false)         ;     }      protected void configure(final httpsecurity http) throws exception {         super.configure(http);          http             .sessionmanagement()                 .maximumsessions(73467436)  // trigger concurrencycontrolconfigurer                     .sessionregistry(sessionregistry())                     .and()                 .withobjectpostprocessor(new objectpostprocessor<concurrentsessioncontrolauthenticationstrategy>() {                     @suppresswarnings("unchecked")                     @override                     public <o extends concurrentsessioncontrolauthenticationstrategy> o postprocess(o concurrentsessioncontrolas) {                         // substitute concurrentsessioncontrolauthenticationstrategy created                          // concurrencycontrolconfigurer our own                          return (o) myconcurrentsessioncontrolauthenticationlistener();                     }                 })                 .and()             // need ignore stomp endpoint allow sockjs javascript client issue post requests             // /push/../../.. when using trasports not websocket;             // @ time, protection given stomp csrf headers             .csrf()                 .csrftokenrepository(csrftokenrepository())                 .ignoringantmatchers("/push/**")                 .and()             // allow same origin frame our site support iframe sockjs             .headers()                 .frameoptions().sameorigin()                 .and()             .authorizerequests()                 .antmatchers("/help/**").permitall() // redirects not require authentication                 .antmatchers("/push/info").permitall() // not require being authenticated /info request sockjs                 .anyrequest().authenticated()                 .and()             // remove session cookie when logging out             .logout()                 .deletecookies("jsessionid") // see: http://docs.spring.io/autorepo/docs/spring-security/current/reference/htmlsingle/#detecting-timeouts                 .and()             ;      }   }

abstractcaswebsecurityconfigureradapter abstractwebsecurityconfigureradapter configures cas.


-

Comments

Post a Comment

Popular posts from this blog

Java 8 + Maven Javadoc plugin: Error fetching URL -

i attempting generate javadoc links javadoc dependencies. have tried various means generate javadoc not produce qualified class names references classes dependencies. wanted links java doc simplified class names. however, java api classnames, no links , have qualified class names. working java 8. have following configuration: <plugin> <groupid>org.apache.maven.plugins</groupid> <artifactid>maven-javadoc-plugin</artifactid> <version>2.10.2</version> <configuration> <reportoutputdirectory>${project.basedir}/target</reportoutputdirectory> <destdir>javadoc</destdir> <windowtitle>epiphany</windowtitle> <doctitle>epiphany</doctitle> <show>private</show> <detectlinks>false</detectlinks> <detectoffline...
Read more

android - How to delete or change the searchview icon inside the SearchView actionBar? -

Image
how remove or change search view icon inside edittext? using appcompat library. i used below code modify , remove it's not working: searchmanager searchmanager = (searchmanager) getsystemservice(context.search_service); searchview.setsearchableinfo(searchmanager.getsearchableinfo(getcomponentname())); view search_mag_icon = (view)searchview.findviewbyid(android.support.v7.appcompat.r.id.search_mag_icon); search_mag_icon.setbackgroundresource(r.drawable.ic_stub); //search_mag_icon.setvisibility(view.gone); finally found solution. try following: try { field mdrawable = searchview.class.getdeclaredfield("msearchhinticon"); mdrawable.setaccessible(true); drawable drawable = (drawable)mdrawable.get(your search view here); drawable.setalpha(0); } catch (exception e) { e.printstacktrace(); }
Read more

c++ - Msgpack packing bools bug -

for c++ project use c++ msgpack library available in ubuntu (14.04) standard repository under name libmsgpack-dev. all works fine except when try pack bools. there things go absolutely bananas. first wrote simple test study pack method. turned out, can not trusted packing bools. here simple test showing problem: #include <msgpack.hpp> test_case("bool packing", "[msgpack1]") { msgpack::sbuffer buf; msgpack::packer<msgpack::sbuffer> p(&buf); std::string key = "boolvalue"; bool value = true; p.pack_map(1); { p.pack(key); p.pack(value); } msgpack::unpacked msg; msgpack::unpack(&msg, buf.data(), buf.size()); std::map<std::string, msgpack::object> m; msg.get().convert(&m); bool loaded_value; m.at(key).convert(&loaded_value); info("we packed: " << value); info("we loaded: " << loaded_value); r...
Read more