Spring2.5,Spring Security2.0.5, DWR app session timeout redirect
Hello,
I have a web application using Spring(version 2.5),Spring Security (version 2.0.5) and DWR.I am facing some issue when the session timeout.
On session timeout the application should redirect the user to login page.But that is not happening.When the timeout had occured and then the user clicks on any of the links in the application, the user is taken to the target page for the clicked link but with no data since the data is user specific and user id is not found in the session.In Spring Security 3.0 this feature is available readily.
But I have no option of upgrading either Spring/Spring Security presently.In such a case how can I redirect the user to a desired page when timeout occurs.I tried implementing a session timeout filter but I end up finding that it was actually a wrong approach.That filter was getting called up in the chain even when invalid session was found.
Code:<?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns="http://www.springframework.org/schema/security" xmlns:beans="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-2.0.4.xsd"> <global-method-security secured-annotations="enabled"> <!-- AspectJ pointcut expression that locates our "post" method and applies security that way <protect-pointcut expression="execution(* bigbank.*Service.post*(..))" access="ROLE_TELLER"/> --> </global-method-security> <http auto-config="true"> <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/welcomeGuest.do" access="IS_AUTHENTICATED_ANONYMOUSLY"/> <intercept-url pattern="/*.do" access="ROLE_ADMIN, ROLE_STANDARD"/> <intercept-url pattern="/*.dwr" access="ROLE_ADMIN, ROLE_STANDARD"/> <form-login login-page="/welcomeGuest.do" login-processing-url="/j_spring_security_check" default-target-url="/home.do" authentication-failure-url="/welcomeGuest.do?login_error=1"/> </http> ..... </beans:beans>
Below is a portion from Spring Security logs.
Kindly guide me in achieving the desired result.Code:12:51:22,240 DEBUG HttpSessionContextIntegrationFilter:255 - SecurityContextHolder now cleared, as request processing completed 12:58:59,834 DEBUG FilterChainProxy:205 - Converted URL to lowercase, from: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; to: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr' 12:58:59,834 DEBUG FilterChainProxy:212 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /**; matched=true 12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]' 12:58:59,834 DEBUG HttpSessionContextIntegrationFilter:274 - No HttpSession currently exists 12:58:59,834 DEBUG HttpSessionContextIntegrationFilter:209 - New SecurityContext instance will be associated with SecurityContextHolder 12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]' 12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]' 12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.basicauth.BasicProcessingFilter[ order=1000; ]' 12:58:59,834 DEBUG BasicProcessingFilter:115 - Authorization header: null 12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]' 12:58:59,834 DEBUG SavedRequestAwareWrapper:92 - Wrapper not replaced; no session available for SavedRequest extraction 12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1200; ]' 12:59:00,038 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.providers.anonymous.AnonymousProcessingFilter[ order=1300; ]' 12:59:00,038 DEBUG AnonymousProcessingFilter:93 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.providers.anonymous.AnonymousAuthenticationToken@69ec09e9: Principal: roleAnonymous; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS' 12:59:00,038 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]' 12:59:00,038 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.SessionFixationProtectionFilter[ order=1600; ]' 12:59:00,038 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@2eb6e9' 12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:196 - Converted URL to lowercase, from: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; to: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr' 12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /; matched=false 12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /index.jsp; matched=false 12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /welcomeguest.do; matched=false 12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /uploadimage.do; matched=false 12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /forgotpassword.do; matched=false 12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /resetpassword.do; matched=false 12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /*.htm; matched=false 12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /*.do; matched=false 12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /*.dwr; matched=false 12:59:00,038 DEBUG AbstractSecurityInterceptor:241 - Public object - authentication not attempted 12:59:00,038 DEBUG FilterChainProxy:374 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr reached end of additional filter chain; proceeding with original chain 12:59:00,194 DEBUG ExceptionTranslationFilter:104 - Chain processed normally 12:59:00,194 DEBUG HttpSessionContextIntegrationFilter:389 - SecurityContext contents are anonymous - context will not be stored in HttpSession. 12:59:00,194 DEBUG HttpSessionContextIntegrationFilter:255 - SecurityContextHolder now cleared, as request processing completed
Thanks,
Jignesh
