Good morning, I'm working with Spring Boot 1.4.2.RELEASE, Spring Security 4.1.3.RELEASE, and Java 8.
For the security configuration I have the following class:
@Configuration
@EnableWebSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/assets/**", "/logout", "/login");
}
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.sessionManagement() // Comentando estas líneas funciona: 1
.sessionFixation() // 2
.migrateSession() // 3
.maximumSessions(1) // 4
.maxSessionsPreventsLogin(true).expiredUrl("/login").and()
.invalidSessionUrl("/login") // 5
.and() // 6
.authorizeRequests()
.antMatchers("/app/**").authenticated()
.antMatchers("/about").permitAll()
.anyRequest().authenticated().and()
.formLogin()
.loginPage("/login").permitAll()
.loginProcessingUrl("/auth").permitAll()
.defaultSuccessUrl("/app/index", true)
.failureUrl("/login?error")
.usernameParameter("uid")
.passwordParameter("pwd").and()
.logout()
.permitAll()
.invalidateHttpSession(true)
.logoutUrl("/logout").permitAll()
.logoutSuccessUrl("/login").permitAll()
.clearAuthentication(true).and()
.exceptionHandling().and()
.csrf().disable()
.headers().frameOptions().disable()
.cacheControl().and();
}
}
The problem is that when I try to access "/ about", having configured it with "permitAll", I would expect to access but the request redirects me to "/ login". I try it a second time and now it lets me access "/ about" without problems.
I have changed the authorization order of requests, commenting on the line anyRequest().authenticated() and it has not worked, however, I noticed that when I delete the sessionManagement lines (1 to 6), everything works normally.
Do I need any extra configuration?