requestCache null when using session-management -> invalid-session-url

**trekmbikes** · May 15th, 2010, 08:56 PM

I'm using the following config:

Code:

<http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
	<session-management invalid-session-url="/login.htm?sessionTimeout=true" /> 
	<intercept-url pattern="/login.htm**" filters="none" />
	<intercept-url pattern="/**" access="isAuthenticated()" />
	<!-- FORM_LOGIN_FILTER-->
	<custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter" />
...

Two of the filters auto-created by <http> are:
SessionManagementFilter, which calls ExceptionTranslationFilter.

ExceptionTranslationFilter is the one that populates the requestCache, via:

Code:

protected void sendStartAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
            AuthenticationException reason) throws ServletException, IOException {
       ...
        requestCache.saveRequest(request, response);

BUT, this code never gets called when the invalid-session-url is defined, since in that case the SessionManagementFilter performs a redirect BEFORE calling the ExceptionTranslationFilter:

Code:

if (invalidSessionUrl != null) {
	...
	redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
                        return;
}

chain.doFilter(request, response);

Shouldn't the SessionManagementFilter populate the request cache before calling the redirect?

**Luke Taylor** · May 16th, 2010, 07:45 AM

The invalid-session-url implies that the previous session has expired and the user should start again. There's no connection with the RequestCache which is used for restoring a request after a user has logged in.

**trekmbikes** · May 17th, 2010, 12:08 PM

Thanks for the reply Luke, I see you're the author of a bunch of these classes.

Wouldn't you agree it's a common use case?
1 - user's session times out
2 - they are redirected to login with the message "Sorry your session expired."
3 - After they login, they are taken back to original GET request

When I leave everything to defaults (and don't set the invalidSessionUrl), I get sent back to the original page stored in the RequestCache, but the login page isn't notified that a session expired.

When I set the invalidSessionUrl, I notify the login page that a session expired, but I don't have a way to get back to my original page.

One way to implement this would be to append the original request URL as the targetUrlParameter in the invalidSessionURL. So I could define my sessionInvalidURL to be "/login.htm?error=sessionExpired&targetUrl=${origina lUrl}".

**Luke Taylor** · May 17th, 2010, 03:48 PM

You could certainly customise it like that if you wish, but I don't think it should work that way by default. When a session expires you can't know that it is safe to continue with the requested URL as some required state may have been lost along with the session. It may be OK in your particular case, but it's not a safe assumption in general.

Thread: requestCache null when using session-management -> invalid-session-url

Thread Tools

Display

requestCache null when using session-management -> invalid-session-url

common

Posting Permissions