ConcurrentSessionFilter should be able to pass the request downstream (after doLogout), such that all authentication redirects can be handled by ExceptionTranslationFilter. #8363
Labels
in: web
An issue in web modules (web, webmvc)
This issue was initially discussed here.
We use Keycloak for SSO.
When Keycloak sends a logout request to our client application, it includes the sessionId of the session to invalidate.
However, invalidating a session by id is not supported by the servlet spec (I think).
As such, the way we accomplish this session invalidation is by expiring the corresponding
org.springframework.security.core.session.SessionInformation
object.A custom
javax.servlet.http.HttpFilter
invalidates the correspondingHttpSession
on the next incoming request for that session, and passes the request downstream:This way, invalidated sessions & non-existing/timed-out sessions are both handled by
ExceptionTranslationFilter
usingauthenticationEntryPoint
(after anAccessDeniedException
is thrown).Rather than defining a custom
javax.servlet.http.HttpFilter
, we'd love to reuseorg.springframework.security.web.session.ConcurrentSessionFilter
.This filter comes out-of-the-box and serves a similar purpose.
However, we currently cannot use this filter as there's no option to pass the request downstream (after
doLogout(request, response)
), becauseSessionInformationExpiredStrategy
has no access to theFilterChain
.The text was updated successfully, but these errors were encountered: