Spring security session timeout and JQuery

[scranthdaddy]

Hi, I am trying to find a good way to handle the case where the session times out and an ajax call is made to a protected resource, /account for example.

Currently my ajax call returns the login page html since an unauthenticated request to /account redirects to the login page.

Any good ideas on how to handle? Thx

[adhirmehta21]

Check out gmail and similar mail services.

[scranthdaddy]

That advice is not great. I ended up just parsing every ajax response and trying to match on "Login Page". If I match then I can do a javascript redirect to the login page.

[Grzegorz Grzybek]

Hi

I'm sure there are other solutions, but here's mine:

Code:

public class AjaxAwareAuthenticationEntryPoint extends AuthenticationProcessingFilterEntryPoint
{
   public void commence(ServletRequest request, ServletResponse response, AuthenticationException authException) throws IOException, ServletException
   {
      if (((HttpServletRequest)request).getServletPath().equals("/ajax")) {
         ((HttpServletResponse)response).sendError(601, "");
      } else {
         super.commence(request, response, authException);
      }
   }
}

The idea - all Ajax request must be identifiable so SpringSecurity can handle them in a special way (to send HTTP return code instead of redirect/forward to login page).

and in JQuery (actually DOJO, but the idea is common), you use:

Code:

      error: function(responseObject, ioArgs) {
         if (responseObject.status == 601) {
            // reload entire page - this leads to login page
            window.location.reload();
         } else {
            dojo.byId('wait').style.display = 'none';
         }
      }

regards
Grzegorz Grzybek

[scranthdaddy]

That looks like a good idea. Another similar idea I had was to set a request header on the XHR request object and check that using a custom form-login authentication-success-handler-ref. In there I could check to see if the header exists and if so I would know it was an ajax request. The reason I thought to do this was because both ajax and non-ajax request would be accessing regular urls and I dont have any urls that have the "/ajax", although that is also a good idea.

Thanks

fyi setting a custom request header in jquery is pretty easy, using the beforeSend(XMLHttpRequest) function - http://api.jquery.com/jQuery.ajax/

[Grzegorz Grzybek]

@scranthdaddy - using HTTP headers to determine if there's an AJAX request is a good idea. I've used dedicated servlet mapping because usually AJAX requests have partial responses and standard requests are used to render the entire web page.

And also please check that with XmlHttpRequest (which lays below JQuery, Dojo et al) you get some extra "X-something" HTTP headers

regards
Grzegorz Grzybek