Ian Brandt (Migrated from SEC-1724) said:
Upon redirecting to a configured invalidSessionUrl SessionManagagementFilter currently does not save the original request URL to the RequestCache. If the invalidSessionUrl ultimately routes the user through a successful authentication, the SavedRequestAwareAuthenticationSuccessHandler can only redirect the user to the defaultTargetUrl.
See the linked forum reference for more details and a more specific use case.
Git merge request forthcoming...
Ian Brandt said:
Merge request posted: http://git.springsource.org/spring-security/spring-security/merge_requests/2
Luke Taylor said:
Thanks for the patch. To be honest, I don't really like having the invalid-session stuff directly in the SessionManagagementFilter. I'd prefer to introduce an additional strategy which would handle this sort of thing and could encapsulate additional behaviour such as the use of the RequestCache. I will look into doing that prior to 3.1.
Perfect. My patch definitely has a single responsibility principle violation smell to it. As a newcomer I wasn't about to propose new API just to solve my specific issue, but if you think the additional strategy makes sense I couldn't agree more.
I've completed work on SEC-1754, which should allow you to plug in your own custom behaviour when an invalid session Id is detected.