Spring – How to deal with session timeouts in AJAX requests

jsfjsf-2primefacesspringspring-security

I am using Spring-Security and Primefaces as view. How can i redirect user to login page after session timeout? I have a Tabview and several tabs inside it. so I need to deal with session timeouts in ajax requests. Is there any solution?

Spring-security.xml file

<beans:beans xmlns="http://www.springframework.org/schema/security"
         xmlns:beans="http://www.springframework.org/schema/beans" 
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd">



<http auto-config='true' use-expressions="true">
    <intercept-url pattern="/login" access="permitAll"/>
    <intercept-url pattern="/pages/*" access="hasRole('admin')" />
    <intercept-url pattern="/j_spring_security_check" access="permitAll"/>        
    <logout logout-success-url="/login.xhtml" />
    <form-login login-page="/login.xhtml"
                login-processing-url="/j_spring_security_check"                                                       
                default-target-url="/pages/index.xhtml"
                always-use-default-target="true"                                                        
                authentication-failure-url="/login.xhtml"/>
</http>


<!--Authentication Manager Details -->    
<authentication-manager alias="authenticationManager">
    <authentication-provider user-service-ref="customUserDetailsService">
        <!--            <password-encoder hash="md5"/>-->
    </authentication-provider>
</authentication-manager>

Best Answer

If you put namespace configuration aside and use "pure" beans configuration, you could customize the ExceptionTranslationFilter to make it bypass the configured AuthenticationEntryPoint in the case of an ajax request. An example of this is explained in details here.

The idea of the ExceptionTranslationFilter is that it detects that an AuthenticationException or an AccessDeniedException as been thrown before executing the request. In these cases, normally it should launch the authenticationEntryPoint if the user is not logged in. In the case of an AccessDeniedException and the user is logged in, the ExceptionTranslationFilter would normally just return an http status code 403 (access forbidden).

But, if you can customize the ExceptionTranslationFilter as in the blog post mentionned above, you can detect if the rejected request is an ajax one by looking at the http headers. In this case, instead of calling the AuthenticationEntryPoint, wich would send a redirection, you can do as the thread balusC mentionned, but in the ExceptionTranslationFilter instead of doing it in a jsf ExceptionHandler.

Hope this help.

Related Solutions

Spring Security with Openid and Database Integration

As I see that question text itself contains the answer. I am just pulling it out and posting it as the answer for the sake of clarity to other developers with the same problem. It took me a while to figure out that question has the answer!

To access user email & name, you need to add below configuration in the security xml file.

<security:attribute-exchange identifier-match="https://www.google.com/.*">
    <security:openid-attribute name="email" type="http://schema.openid.net/contact/email" required="true" />
    <security:openid-attribute name="firstName" type="http://axschema.org/namePerson/first" required="true" />
    <security:openid-attribute name="lastName" type="http://axschema.org/namePerson/last" required="true" />
</security:attribute-exchange>
<security:attribute-exchange identifier-match=".*yahoo.com.*">
    <security:openid-attribute name="email" type="http://axschema.org/contact/email" required="true"/>
    <security:openid-attribute name="fullname" type="http://axschema.org/namePerson" required="true" />
</security:attribute-exchange>

Thereafter, it will be accessible in the AuthenticationUserDetailsService class, as shown below.

public UserDetails loadUserDetails(OpenIDAuthenticationToken token) {
    String id = token.getIdentityUrl();
        :
        :
    List attributes = token.getAttributes();
    for (OpenIDAttribute attribute : attributes) {
        if (attribute.getName().equals("email")) {
            email = attribute.getValues().get(0);
        }
        if (attribute.getName().equals("firstName")) {
            firstName = attribute.getValues().get(0);
        }
        if (attribute.getName().equals("lastName")) {
            lastName = attribute.getValues().get(0);
        }
        if (attribute.getName().equals("fullname")) {
            fullName = attribute.getValues().get(0);
        }
    }
        :
        :
    // form and return user object
}

Considering that we use more of Java-based configuration/beans now, translating these XML configuration to Java-based configuration shouldn't be a problem.

Hope it helps.

Java – Spring MVC: Controller RequestMapping working, but return always gives a 404

I suspect that you problem is in your servlet mapping. /* will force everything through your dispatcher servlet, including jsps. Try losing the *. I'll find the relevant part in the servlet spec and update....

From the servlet spec:

12.2 Specification of Mappings In the Web application deployment descriptor, the following syntax is used to define mappings: A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping.

A string beginning with a ‘*.’ prefix is used as an extension mapping.

The empty string ("") is a special URL pattern that exactly maps to the application's context root, i.e., requests of the form . In this case the path info is ’/’ and the servlet path and context path is empty string (““).

A string containing only the ’/’ character indicates the "default" servlet of the application. In this case the servlet path is the request URI minus the context path and the path info is null.

All other strings are used for exact matches only.

So if you specify /* that overrides the *.jsp mapping, so jsp requests get routed back into your dispatcher servlet instead of hitting the jsp.

Best Answer

Related Solutions

Spring Security with Openid and Database Integration

Java – Spring MVC: Controller RequestMapping working, but return always gives a 404

Related Topic