Spring Security does not time out with Ajax polling

I can not get the session to timeout when polling with Ajax using spring security 3.1.

Relevant information:

• All requests are Ajax, but can differentiate between Views and Data requests.
• 3/4 of all views contain polling data requests
• The views that do not contain polling timeout effectively and displays the login page.
• I know the Last Access Time on Tomcat is being updated because Security applies to all requests.

Is there any helpful tips to help me keep security requirements for the request, but keep Tomcat from updating the last access time for Ajax Data requests? We are using a custom Javascript library with jquery widgets.

What other information do you guys need?

This is really a question for your container (i.e. Tomcat) as Spring Security does not control the timeout of the HttpSession. In practice, I have not seen anything that would support this directly. One option is to keep track of activity on the client side and force a logout if no activity has occurred after a certain amount of time.

The reason I asked here is because the SecurityContextPersistenceFilter calls getSession() for every request.

My plan is to create a filter which adds a data last access time parameter to the session. The only time this is added is when a data call is made and there is not a parameter. If a view is called, I will clear the parameter from the session. If the parameter is present I will use logic similar to tomcat to determine if I should invalidate the session. This should solve my problems.

Let me know what you guys think.

Quote:

---

Originally Posted by robersonadam

The reason I asked here is because the SecurityContextPersistenceFilter calls getSession() for every request.

---

This is necessary to get the Authentication information (i.e. is the user logged in, what user is it, do they have access to this resource, etc). If the URL's are public (i.e. you want everyone to see them) you can instruct Spring Security to ignore the URL using http@security=none and it will not access the session. As I recall the strict interpretation of the specification is that the timeout is reset just by making a request (not necessarily just by accessing the HttpSession). Therefore limiting access to the HttpSession may not work for you anyways.

Quote:

---

My plan is to create a filter which adds a data last access time parameter to the session. The only time this is added is when a data call is made and there is not a parameter. If a view is called, I will clear the parameter from the session. If the parameter is present I will use logic similar to tomcat to determine if I should invalidate the session. This should solve my problems.

Let me know what you guys think.

---

How you decide to implement keeping track of the timeout (i.e. using javascript on the client or on the server) is up to you. Either way I think this is the approach you are going to need.

Here is my filter for anyone else looking for a solution to this type of issue. I put this filter in my web.xml before the security filter.

Code:

---

package com.example.filter;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.web.filter.OncePerRequestFilter;

public class DataSessionTimeoutFilter extends OncePerRequestFilter {

        public static String AJAX_DATA_LAST_ACCESS_TIME = "AjaxDataLastAccessTime";

        @Override
        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
                        throws ServletException, IOException {

                HttpSession session = request.getSession(false);
                if (session != null) {
                        if (request.getRequestURI() != null) {
                                int index = request.getRequestURI().indexOf(".html");
                                if (index > 0) {
                                        session.removeAttribute(AJAX_DATA_LAST_ACCESS_TIME);
                                } else {
                                        Long lastAccess = (Long) session.getAttribute(AJAX_DATA_LAST_ACCESS_TIME);
                                        if (lastAccess == null) {
                                                lastAccess = System.currentTimeMillis();
                                                session.setAttribute(AJAX_DATA_LAST_ACCESS_TIME, lastAccess);
                                        } else {
                                                if (((session.getMaxInactiveInterval() * 1000) - (System.currentTimeMillis() - lastAccess)) < 0) {
                                                        session.invalidate();
                                                }
                                        }
                                }
                        }
                }
                filterChain.doFilter(request, response);
        }
}

---