5

It seems a very common problem. But I couldn't find any working solution. We are using Richafaces 4, Myfaces 2.0.5 and Spring security 3.0.X.

On session time for ajax/non ajax requests, the user should be redirected to log in page.after logging back he should be shown the previously performed ajax/non ajax operation.

We are not facing any issue with non ajax requests. But for ajax requests, the user is not redirected to log in page.

I have followed this link https://community.jboss.org/message/729913#729913 and implemented servlet approach. the solution worked in Firefox, not in IE 8.

There could be one more problem even if it is properly redirected to log in page on session time out. I am expecting a ViewExpiredException on successful login for the previously invoked ajax request.

I wanted to bring the ViewExpiredException, since both these problems could be related each other.

Any solutions/leads will be appreciated.

Bo Persson
  • 90,663
  • 31
  • 146
  • 203
RAVI J
  • 53
  • 1
  • 4
  • custom sessionManagementFilter and jsfredirect strategy fixed the application session time out issue on ajax requests. We are facing another issue on SSO session time out. SSO is being used in our company, user id is passed in request header to the application. Assume SSO session is timed out, application session is still active, Now if the user is performed any ajax request then SSO will interfere and tries to redirect to SSO login page. Ajax is unable to parse sso repsone and it becomes irresponsive on the page. Any solutions/leads will be appreciated. Thanks Ravi – RAVI J Apr 27 '12 at 18:48

2 Answers2

6

Since you use Spring Security 3.0.x, you can use custom sessionManagementFilter as described here

The class com.icesoft.spring.security.JsfRedirectStrategy is available here

If you are using Spring Security 3.1.x make these changes

 <beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
            <!-- this permits redirection to session timeout page from javascript/ajax or http -->
    <beans:property name="invalidSessionStrategy" ref="jsfRedirectStrategy" />
</beans:bean>

<beans:bean id="jsfRedirectStrategy" class="com.icesoft.spring.security.JsfRedirectStrategy">
  <beans:constructor-arg name="invalidSessionUrl" value="/general/logins/sessionExpired.jsf" />
</beans:bean>
<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

The only change to the JSFRedirectStrategy class are the first few lines:

public class JsfRedirectStrategy implements InvalidSessionStrategy {
protected final Log logger = LogFactory.getLog(getClass()); 
     private String invalidSessionUrl;
private boolean contextRelative;

public JsfRedirectStrategy(String invalidSessionUrl){
    this.invalidSessionUrl=invalidSessionUrl;
}

@Override
public void onInvalidSessionDetected(HttpServletRequest request,
        HttpServletResponse response) throws IOException, ServletException {
    String redirectUrl = calculateRedirectUrl(request.getContextPath(), invalidSessionUrl);

This works with IE8 also. If you are interested you can look at this blog also, but I never tried this as the above was much easier.

FYI: If you do not do Spring there are many ways to do this: Primefaces does this on their site. link Or even simpler by importing Omnifaces jar link

Ravi Kadaboina
  • 8,494
  • 3
  • 30
  • 42
  • Hi Ravi, Thanks for the solution. It worked for me.I have done few changes in redirect stratgey. saving the current requet in request cache for non ajax requests, so that the user will be redirected to previous request when he logged back, however we are not storing the ajax requests in request cache before redirecting. the user will be redirected to default home page after logged back. if ajax requests are stored in request cache, then view expired exception is coming. Ideally we want the previuos ajax request to be performed when user logged back after session time out. Thanks Ravi J – RAVI J Apr 18 '12 at 20:35
  • We have shifted to client STATE_SAVING_METHOD as ours is an intranet application, so we do not get any view expired exceptions. But anyways I am glad it helped you. Please mark the answer accepted if it has worked for you... – Ravi Kadaboina Apr 18 '12 at 22:44
  • @Ravi Thanks for the inspiration, here there is [my JsfRedirectStrategy implementation](https://gist.github.com/banterCZ/5160269) – banterCZ Mar 22 '13 at 14:11
0

I merge Ravi's answer with How to set a custom invalid session strategy in Spring Security.

It modify the filter instead of creating a new one. Can split in multiple class if you want too.

    public class JSFRedirectStrategy implements InvalidSessionStrategy,
    BeanPostProcessor {

/**
 * JSF header
 */
private static final String FACES_REQUEST_HEADER = "faces-request";

/**
 * URL
 */
private String invalidSessionUrl;

public void setInvalidSessionUrl(String invalidSessionUrl) {
    this.invalidSessionUrl = invalidSessionUrl;
}

/**
 * {@inheritDoc}
 */
@Override
public void onInvalidSessionDetected(HttpServletRequest request,
        HttpServletResponse response) throws IOException, ServletException {
    String ajaxRedirectXml;
    String requestURI;

    // Force nouvelle session
    request.getSession(true);

    if ("partial/ajax".equals(request.getHeader(FACES_REQUEST_HEADER))) {
        requestURI = request.getContextPath() + invalidSessionUrl;
        requestURI = response.encodeRedirectURL(requestURI);
        ajaxRedirectXml = createAjaxRedirectXml(requestURI);
        response.setContentType("text/xml");
        response.getWriter().write(ajaxRedirectXml);
    } else {
        response.sendRedirect(response
                .encodeRedirectURL(getRequestUrl(request)));
    }
}

/**
 * Obtenir la requete qu'il voulait appeler
 * 
 * @param request
 * @return
 */
private String getRequestUrl(HttpServletRequest request) {
    StringBuffer requestURL;
    String queryString;

    requestURL = request.getRequestURL();
    queryString = request.getQueryString();
    if (!JavaUtil.isNullOrEmpty(queryString))
        requestURL.append("?").append(queryString);
    return requestURL.toString();
}

/**
 * XML redirect
 * 
 * @param redirectUrl
 * @return
 */
private String createAjaxRedirectXml(String redirectUrl) {
    return new StringBuilder()
            .append("<?xml version=\"1.0\" encoding=\"UTF-8\"?>")
            .append("<partial-response><redirect url=\"")
            .append(redirectUrl)
            .append("\"></redirect></partial-response>").toString();
}

@Override
public Object postProcessBeforeInitialization(Object bean, String beanName)
        throws BeansException {
    SessionManagementFilter filter;
    if (bean instanceof SessionManagementFilter) {
        filter = (SessionManagementFilter) bean;
        filter.setInvalidSessionStrategy(this);
    }
    return bean;
}

@Override
public Object postProcessAfterInitialization(Object bean, String beanName)
        throws BeansException {
    return bean;
}}
    <!-- Afin de gerer l'ajax lorsque spring redirige vers la page auth -->
<bean id="jsfRedirectStrategy" class="JSFRedirectStrategy" >
    <property name="invalidSessionUrl" value="/authentification.qc" />
</bean>
Community
  • 1
  • 1
Jonathan Laterreur
  • 1
  • 1