Timmy Schweer (Migrated from SEC-3040) said:
I'm using spring security for an GWT application and I upgraded from Spring Security 3.x to 4.0.1.
The authentication sessions are invalidated randomly, sometimes directly after login and sometimes never. So I wanted to deactivate SessionFixationProtectionStrategy which dropped me the following message:
BeanDefinitionParsingException: Configuration problem: session-fixation-protection attribute cannot be used in combination with session-authentication-strategy-ref
It seems like in Spring 3.x the SessionFixationProtectionStrategy was deactivated by default and is now active by default, which is fine but I don't know how to disable it in the following configuration:
<bean class="mysecurity.CustomConcurrentSessionControlStrategy"
id="scs">
<constructor-arg name="sessionRegistry" ref="sessionRegistry"/>
</bean>
<sec:http use-expressions="true" create-session="always">
<sec:session-management session-authentication-strategy-ref="scs"/>
....
</sec:http>
Timmy Schweer (Migrated from SEC-3040) said:
I'm using spring security for an GWT application and I upgraded from Spring Security 3.x to 4.0.1.
The authentication sessions are invalidated randomly, sometimes directly after login and sometimes never. So I wanted to deactivate SessionFixationProtectionStrategy which dropped me the following message:
It seems like in Spring 3.x the SessionFixationProtectionStrategy was deactivated by default and is now active by default, which is fine but I don't know how to disable it in the following configuration: