Results 1 to 5 of 5

Thread: Spring Security does not time out with Ajax polling

  1. Aug 15th, 2012, 02:11 PM #1
    robersonadam
    robersonadam is offline Junior Member
    Join Date
    Nov 2010
    Posts
    7

    Default Spring Security does not time out with Ajax polling

    I can not get the session to timeout when polling with Ajax using spring security 3.1.

    Relevant information:

    • All requests are Ajax, but can differentiate between Views and Data requests.
    • 3/4 of all views contain polling data requests
    • The views that do not contain polling timeout effectively and displays the login page.
    • I know the Last Access Time on Tomcat is being updated because Security applies to all requests.


    Is there any helpful tips to help me keep security requirements for the request, but keep Tomcat from updating the last access time for Ajax Data requests? We are using a custom Javascript library with jquery widgets.

    What other information do you guys need?
    Reply With Quote Reply With Quote
  2. Aug 16th, 2012, 09:07 AM #2
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,833

    Default

    This is really a question for your container (i.e. Tomcat) as Spring Security does not control the timeout of the HttpSession. In practice, I have not seen anything that would support this directly. One option is to keep track of activity on the client side and force a logout if no activity has occurred after a certain amount of time.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
  3. Aug 16th, 2012, 10:35 AM #3
    robersonadam
    robersonadam is offline Junior Member
    Join Date
    Nov 2010
    Posts
    7

    Default

    The reason I asked here is because the SecurityContextPersistenceFilter calls getSession() for every request.

    My plan is to create a filter which adds a data last access time parameter to the session. The only time this is added is when a data call is made and there is not a parameter. If a view is called, I will clear the parameter from the session. If the parameter is present I will use logic similar to tomcat to determine if I should invalidate the session. This should solve my problems.

    Let me know what you guys think.
    Reply With Quote Reply With Quote
  4. Aug 16th, 2012, 11:00 AM #4
    Rob Winch
    Rob Winch is offline Senior Member Spring Team
    Join Date
    Jan 2008
    Posts
    1,833

    Default

    Quote Originally Posted by robersonadam View Post
    The reason I asked here is because the SecurityContextPersistenceFilter calls getSession() for every request.
    This is necessary to get the Authentication information (i.e. is the user logged in, what user is it, do they have access to this resource, etc). If the URL's are public (i.e. you want everyone to see them) you can instruct Spring Security to ignore the URL using http@security=none and it will not access the session. As I recall the strict interpretation of the specification is that the timeout is reset just by making a request (not necessarily just by accessing the HttpSession). Therefore limiting access to the HttpSession may not work for you anyways.

    My plan is to create a filter which adds a data last access time parameter to the session. The only time this is added is when a data call is made and there is not a parameter. If a view is called, I will clear the parameter from the session. If the parameter is present I will use logic similar to tomcat to determine if I should invalidate the session. This should solve my problems.

    Let me know what you guys think.
    How you decide to implement keeping track of the timeout (i.e. using javascript on the client or on the server) is up to you. Either way I think this is the approach you are going to need.
    Rob Winch
    Twitter @rob_winch
    Spring Security Lead
    Spring by Pivotal
    Reply With Quote Reply With Quote
  5. Aug 16th, 2012, 03:26 PM #5
    robersonadam
    robersonadam is offline Junior Member
    Join Date
    Nov 2010
    Posts
    7

    Default

    Here is my filter for anyone else looking for a solution to this type of issue. I put this filter in my web.xml before the security filter.

    Code:
    package com.example.filter;

import java.io.IOException;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

import org.springframework.web.filter.OncePerRequestFilter;

public class DataSessionTimeoutFilter extends OncePerRequestFilter {

	public static String AJAX_DATA_LAST_ACCESS_TIME = "AjaxDataLastAccessTime";

	@Override
	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
			throws ServletException, IOException {

		HttpSession session = request.getSession(false);
		if (session != null) {
			if (request.getRequestURI() != null) {
				int index = request.getRequestURI().indexOf(".html");
				if (index > 0) {
					session.removeAttribute(AJAX_DATA_LAST_ACCESS_TIME);
				} else {
					Long lastAccess = (Long) session.getAttribute(AJAX_DATA_LAST_ACCESS_TIME);
					if (lastAccess == null) {
						lastAccess = System.currentTimeMillis();
						session.setAttribute(AJAX_DATA_LAST_ACCESS_TIME, lastAccess);
					} else {
						if (((session.getMaxInactiveInterval() * 1000) - (System.currentTimeMillis() - lastAccess)) < 0) {
							session.invalidate();
						}
					}
				}
			}
		}
		filterChain.doFilter(request, response);
	}
}
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules