Failing to redirect to login page with ajax request (Spring security, webflow, jsf)

[aram.z]

Hello,

there is a problem when the session expired (or browser cache is deleted), if the user clicks on an ajax element, an ajax requests will be sent. It should be redirected to the login.xhtml. If the request is not an ajax one, it works fine the page will be redirected, but if it is an ajax requests it does not work.

In the firefox webconsole it appears as if the request is sent:

GET: https://..... /logint.xthml:jsessionid=55B2EF959186CC0DCED7347C8F 95A79F

but nothing happens.

I'm guessing it fails to recognize that it is an ajax request and the AuthenticationEntryPoint does not send the expected response.

Using Spring Security 3.1.0.RELEASE, Spring WebFlow 2.3.1.RELEASE and JSF

Spring Security config:

Code:

 <http use-expressions="true"
          access-decision-manager-ref="accessDecisionManager">

        <form-login login-page="/ui/account/login.xhtml"
                    always-use-default-target="true"
                    login-processing-url="/ui/j_spring_security_check"
                    authentication-failure-handler-ref="authenticationFailureHandler"
                    authentication-details-source-ref="authenticationDetailsSource" />
        
        <access-denied-handler ref="webAuthorizationFailedHandler"/>
   		
        <logout logout-url="/ui/j_spring_security_logout"/>
   		
   		<port-mappings>
   			<port-mapping http="${server.port.http}" https="${server.port.https}"/>
   		</port-mappings>
   		
        <intercept-url pattern="/ui/javax.faces.resource/**" access="permitAll" requires-channel="any"/>
	<intercept-url pattern="/ui/account/login.xhtml*" access="hasRole('ROLE_ANONYMOUS')" requires-channel="https"/>
        <intercept-url pattern="/ui/j_spring_security_check" access="permitAll" requires-channel="https"/>
        <intercept-url pattern="/**" access="hasRole('ROLE_AUTHORIZED_WEB_USER')" requires-channel="any"/>
    </http>

Spring WebFow config:

Code:

         <bean id="securityFlowExecutionListener" class="org.springframework.webflow.security.SecurityFlowExecutionListener">
		<property name="accessDecisionManager" ref="accessDecisionManager"/>
	</bean>

	<!-- Flow Executor -->
  	<flow:flow-executor id="flowExecutor">
  	
  		<flow:flow-execution-listeners>
  			<flow:listener ref="securityFlowExecutionListener"/>
  			<flow:listener ref="facesContextListener"/>
  		</flow:flow-execution-listeners>  		
  	</flow:flow-executor>

    <bean class="org.springframework.webflow.mvc.servlet.FlowHandlerAdapter"  >
        <property name="flowExecutor" ref="flowExecutor"/>
        <property name="ajaxHandler">
        	<bean class="org.springframework.faces.webflow.JsfAjaxHandler" />
        </property>
    </bean>
	<bean id="facesContextListener" class="org.springframework.faces.webflow.FlowFacesContextLifecycleListener"/>

...

Have I made a configuration mistake? Is this a bug??

As workaround I implemented my own AuthenticationEntryPoint checking if the request is an ajax one and then handling it with the
org.springframework.faces.webflow.JsfAjaxHandler, otherwise using the default implementation.

Thanks in advance.

[thobson]

You won't get a redirect if you make an ajax request. You would need to configure your ajax handler to detect the session timeout event and then redirect the browser to the login page (probably by changing the document.url property)

[aram.z]

Hi thanks for the reply,

the problem is if the session timeout occurs, the ajax handler does not get any requests. A redirect will be performed by the security entry point.
What do you mean with 'detect' session timeout? The timeout tracking will be made with standard http session tracking

in web.xml

Code:

<session-config>
  <session-timeout>60</session-timeout>
</session-config>

[aram.z]

Any more suggestions?