How to verify Ajax method authentication with Spring Security

[billybeaker]

Sometimes my users leave their window open until their session times out. However, if they try to click a link that makes an ajax call, I'm having problems handling the response when their session is expired.

They visually don't know they're not logged in. The app framework is Spring using Spring Security. The ajax call fires the method but it re-directs to the login page because they are not logged in. so the login page is getting returned as the response instead of JSON. The controller never even executes so I can't inject another response.

Any suggestions on how to handle this? I'm thinking about making the ajax URL a public, non-secure method. Then I can handle the non-logged in user and send a specific JSON response that the javascript can handle.

But I'm worried about making the ajax method unsecure.

[Rob Winch]

You can create a DelegatingAuthenticationEntryPoint with a mapping of a RequestMatcher that matches your ajax requests to a custom AuthenticationEntryPoint that signals to the js code that login is required. The default AuthenticationEntryPoint could be an instance of LoginUrlAuthenticationEntryPoint.

[billybeaker]

Thanks for the reply.

Unfortunately, my app is using Spring Security 2.0.4

[Rob Winch]

The source is available, so you can always provide the implementation yourself.