All geek questions in one place

Redirecting PrimeFaces processing Ajax requests to session timeout in Spring Security

I am trying to get the JSF web interface to redirect back to the login page (in Spring Security) when the session timed out.

I tried using meta refresh, but it causes an undesirable side effect that the meta refresh time will not be updated if only AJAX controls are used on the page. This means that the page can be updated while you use it, because you did not go to another page and only made AJAX calls to the server. I have not found a way to easily change this behavior using Primefaces.

Spring Security sends an HTTP 302 error message back to Primefaces when the session has expired, however Primefaces simply ignores the redirect request. You can find out when the session has expired because the Primefaces controls stop responding because their AJAX calls do not succeed.

I am using Primefaces 3.4.2 and Spring Security 3.1.4, running on Glassfish 3.1.2.2.

+4
source share
1 answer

This is a problem with the default method that Spring Security sends redirects back to the client. The default method for sending redirects to a client is the HTML method for sending a 302 โ€œTemporarily movedโ€ response, however this does not work for AJAX clients. The AJAX client interprets this as a redirection to a new location to send / receive their data, and not as a page redirection. The right way to get the AJAX client to redirect the browser to a new page is the same as a regular HTML request:

<?xml version=\"1.0\" encoding=\"UTF-8\"?> <partial-response> <redirect url="http://your.url.here/"></redirect> </partial-response>

To override the invalid default session strategy used by Spring Security, you need to create a SessionManagementFilter bean in the Spring configuration and pass it a class that implements InvalidSessionStrategy and sends the correct redirect response when the request is received via HTML or AJAX:

 <bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter"> <constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" /> <property name="invalidSessionStrategy"> <bean class="yourpackage.JsfRedirectStrategy"> <constructor-arg name="invalidSessionUrl" value="/your_session_expired_page.xhtml" /> </bean> </property> </bean> <bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

Then you need to add this filter to your block

 <security:http use-expressions="true"> <security:custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" /> ... </security:http>

A custom session control filter will now be created when your application starts, and the provided invalid session strategy class will be executed whenever an expired session is found.

A good example of how to implement an invalid session strategy can be found here: https://gist.github.com/banterCZ/5160269

A similar question using IceFaces is available here: JSF 2, Spring Security 3.x, and Richfaces 4 redirect to session login page for ajax requests

+12
source

Source: https://habr.com/ru/post/1483790/

More articles:


All Articles