Is there a way to forward the request instead of redirect?

Here is the scenario, user is challenged with the login page when click on an url and the session is expired. After a successful login, I would like acegi to forward that request instead of redirecting it.

The reason being that I have a single page application. It's doing ajax call to the server and expect some fragment of html to be returned and then refresh the view. The way acegi is redirecting the url now after session expired causes the reponse to be displayed in a new page.

Ideal solution is to tell acegi to forward the request if the session expired

Can someone suggest how to go about doing this?

Or how can I tell acegi to discard the url and take the user back to beginning thus reloads the entire page

Thank you

You can use the serverSideRedirect property of AuthenticationProcessingFilterEntryPoint to forward to the login page rather than redirect. There's normally no way you can detect whether a session has expired or the user is starting a new session unless you pass something in with the request.

I tried your suggestion with serverSideRedirect but that didn't seem to do anything, it's still redirecting.

Have you found a solution on this?
I have exactly the same problem.... (ajax page and session timeout)

bye
chris

You can apply an exception mapper that will forward to a specific view page.

You can use the serverSideRedirect property of AuthenticationProcessingFilterEntryPoint to forward to the login page rather than redirect. There's normally no way you can detect whether a session has expired or the user is starting a new session unless you pass something in with the request.

How do you determine when a new session is created? Also, is there a way I can write a hook or callback that is executed whenever a new one is created?

Thanks

You can subsribe to session creation and destroyed events by setting up the appropriate listener in your web.xml. See the documentation on Acegi Security concurrent session handling which uses this feature.

Also, my statement about not being able to detect a request from an expired session is incorrect. The servlet API supplies methods on the request object which you can use:

http://java.sun.com/j2ee/1.4/docs/api/javax/servlet/http/HttpServletRequest.html#getRequestedSessionId()

The thing is, im not actually interested in an httpsession creation event. by session i meant more of an acegi login session. so for example, on the login page when the form is submit to j_acegi_security_check, i need to somehow capture that. i also need to capture the case when acegi's 'remember me' filter is used but a login session is still created.

The framework publishes events through the spring context which you can subsribe to. See

http://acegisecurity.org/acegi-security/xref/org/acegisecurity/event/authentication/AbstractAuthenticationEvent.html

and its subclasses as well as Spring's event publishing mechanism.

The LoggerListener is a class which writes these events to the log:

http://acegisecurity.org/acegi-security/xref/org/acegisecurity/event/authorization/LoggerListener.html

It depends on exactly what you want to do though. If you need more specialized behaviour on login then you can extend AuthenticationProcessingFilter.

Thanks for the help. Before I read your last post I actually ended up doing it by implementing the ConcurrentSessionController interface and doing whatever I needed to do in the registerSuccessfulAuthentication(Authentication authentication) method. I created a bean for that class and added it to the authenticationManager. This way seems to work, but do you think I would be better off using the event publishing method with LoggerListener? The thing is in this case I don't care about commons logging, the whole purpose of this was to log sessions to a database.

I wasn't suggesting you use LoggerListener, just providing it as an example of how to use events. It wasn't even clear that you requirement was for logging at all. Using events would make the most sense for auditing the use of the app.

How bad would it sound to ask for ACEGI to include a response header when the session expires?