Discussion:
[Springframework-user] Spring Security + AJAX Session Timeout issue
Alessandro Ferrucci
2014-05-28 12:00:06 UTC
Permalink
Hello,
I have a Spring MVC application which loads data dynamically through AJAX.
All AJAX entry points are protected and the user must be authenticated in
order to access the AJAX endpoints.

I need for my front end code to know when a session timeout occurs when an
AJAX request is made. I have implemented this using
LoginAuthenticationEntryPoint implementation and if the HTTP request
contains the "X-Requested-With header" with a value of "XMLHttpRequest", I
send back a 403 Error Code.

This works for the most part, the issue is that on the very first AJAX
Request, spring performs a redirect and I get a 302 followed by a redirect
to my login page, on all subsequent AJAX requests the correct 403 comes
back.

Below is the relevant Spring security config and the
AjaxAwareAuthenticationEntryPoint source.

Side Note: I have also tried this using the request matcher implementation
outlined here:
http://distigme.wordpress.com/2012/11/01/ajax-and-spring-security-form-based-login/
and I get the same exact results.

Any ideas?

Thanks!
Alessandro Ferrucci

<beans:bean id="authenticationEntryPoint"
class="mojo.ocs.web.AjaxAwareAuthenticationEntryPoint">
<beans:constructor-arg name="loginUrl" value="/login"/>
</beans:bean>
<!-- ENTRY POINT REF IMPLEMENTATION -->
<http auto-config="true" use-expressions="true"
access-denied-page="/accessdenied"
entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/login" access="isAnonymous()"/>
<intercept-url pattern="/loginfailed" access="isAnonymous()"/>
<intercept-url pattern="/welcome" access="isAuthenticated()" />
<intercept-url pattern="/" access="isAuthenticated()" />
<intercept-url pattern="/private_res/**" access="isAuthenticated()"
/>
<intercept-url pattern="/tne/**" access="isAuthenticated()" />
<intercept-url pattern="/team_reports/**"
access="isAuthenticated()" />
<form-login login-page="/login" default-target-url="/welcome"
always-use-default-target="true" authentication-failure-url="/loginfailed"
/>
<logout delete-cookies="JSESSIONID" logout-success-url="/logout"
invalidate-session="true"/>
<session-management invalid-session-url="/login" />
</http>

This is the AjaxAwareAuthenticationEntryPoint:

public class AjaxAwareAuthenticationEntryPoint extends
LoginUrlAuthenticationEntryPoint {

public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
super(loginUrl);
}

@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {
String ajaxHeader = ((HttpServletRequest)
request).getHeader("X-Requested-With");
boolean isAjax = "XMLHttpRequest".equals(ajaxHeader);
if (isAjax) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Ajax
REquest Denied (Session Expired)");
} else {
super.commence(request, response, authException);
}
}
}
Lachezar Dobrev
2014-05-28 15:58:12 UTC
Permalink
To work around this kind of problems I have added an instance of the
Remember-Me infrastructure that adds cookies with a session-only life.
That allows requests to be re-authenticated and re-authorised even if
the session has timed out.
Post by Alessandro Ferrucci
Hello,
I have a Spring MVC application which loads data dynamically through AJAX.
All AJAX entry points are protected and the user must be authenticated in
order to access the AJAX endpoints.
I need for my front end code to know when a session timeout occurs when an
AJAX request is made. I have implemented this using
LoginAuthenticationEntryPoint implementation and if the HTTP request
contains the "X-Requested-With header" with a value of "XMLHttpRequest", I
send back a 403 Error Code.
This works for the most part, the issue is that on the very first AJAX
Request, spring performs a redirect and I get a 302 followed by a redirect
to my login page, on all subsequent AJAX requests the correct 403 comes
back.
Below is the relevant Spring security config and the
AjaxAwareAuthenticationEntryPoint source.
Side Note: I have also tried this using the request matcher implementation
http://distigme.wordpress.com/2012/11/01/ajax-and-spring-security-form-based-login/
and I get the same exact results.
Any ideas?
Thanks!
Alessandro Ferrucci
<beans:bean id="authenticationEntryPoint"
class="mojo.ocs.web.AjaxAwareAuthenticationEntryPoint">
<beans:constructor-arg name="loginUrl" value="/login"/>
</beans:bean>
<!-- ENTRY POINT REF IMPLEMENTATION -->
<http auto-config="true" use-expressions="true"
access-denied-page="/accessdenied"
entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/login" access="isAnonymous()"/>
<intercept-url pattern="/loginfailed" access="isAnonymous()"/>
<intercept-url pattern="/welcome" access="isAuthenticated()" />
<intercept-url pattern="/" access="isAuthenticated()" />
<intercept-url pattern="/private_res/**" access="isAuthenticated()"
/>
<intercept-url pattern="/tne/**" access="isAuthenticated()" />
<intercept-url pattern="/team_reports/**" access="isAuthenticated()"
/>
<form-login login-page="/login" default-target-url="/welcome"
always-use-default-target="true" authentication-failure-url="/loginfailed"
/>
<logout delete-cookies="JSESSIONID" logout-success-url="/logout"
invalidate-session="true"/>
<session-management invalid-session-url="/login" />
</http>
public class AjaxAwareAuthenticationEntryPoint extends
LoginUrlAuthenticationEntryPoint {
public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
super(loginUrl);
}
@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {
String ajaxHeader = ((HttpServletRequest)
request).getHeader("X-Requested-With");
boolean isAjax = "XMLHttpRequest".equals(ajaxHeader);
if (isAjax) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Ajax
REquest Denied (Session Expired)");
} else {
super.commence(request, response, authException);
}
}
}
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Springframework-user mailing list
https://lists.sourceforge.net/lists/listinfo/springframework-user
Gabriel Nascimento
2014-06-08 15:53:59 UTC
Permalink
remove me from this list
Post by Lachezar Dobrev
To work around this kind of problems I have added an instance of the
Remember-Me infrastructure that adds cookies with a session-only life.
That allows requests to be re-authenticated and re-authorised even if
the session has timed out.
2014-05-28 15:00 GMT+03:00 Alessandro Ferrucci <
Post by Alessandro Ferrucci
Hello,
I have a Spring MVC application which loads data dynamically through
AJAX.
Post by Alessandro Ferrucci
All AJAX entry points are protected and the user must be authenticated in
order to access the AJAX endpoints.
I need for my front end code to know when a session timeout occurs when
an
Post by Alessandro Ferrucci
AJAX request is made. I have implemented this using
LoginAuthenticationEntryPoint implementation and if the HTTP request
contains the "X-Requested-With header" with a value of "XMLHttpRequest",
I
Post by Alessandro Ferrucci
send back a 403 Error Code.
This works for the most part, the issue is that on the very first AJAX
Request, spring performs a redirect and I get a 302 followed by a
redirect
Post by Alessandro Ferrucci
to my login page, on all subsequent AJAX requests the correct 403 comes
back.
Below is the relevant Spring security config and the
AjaxAwareAuthenticationEntryPoint source.
Side Note: I have also tried this using the request matcher
implementation
http://distigme.wordpress.com/2012/11/01/ajax-and-spring-security-form-based-login/
Post by Alessandro Ferrucci
and I get the same exact results.
Any ideas?
Thanks!
Alessandro Ferrucci
<beans:bean id="authenticationEntryPoint"
class="mojo.ocs.web.AjaxAwareAuthenticationEntryPoint">
<beans:constructor-arg name="loginUrl" value="/login"/>
</beans:bean>
<!-- ENTRY POINT REF IMPLEMENTATION -->
<http auto-config="true" use-expressions="true"
access-denied-page="/accessdenied"
entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/login" access="isAnonymous()"/>
<intercept-url pattern="/loginfailed" access="isAnonymous()"/>
<intercept-url pattern="/welcome" access="isAuthenticated()" />
<intercept-url pattern="/" access="isAuthenticated()" />
<intercept-url pattern="/private_res/**"
access="isAuthenticated()"
Post by Alessandro Ferrucci
/>
<intercept-url pattern="/tne/**" access="isAuthenticated()" />
<intercept-url pattern="/team_reports/**"
access="isAuthenticated()"
Post by Alessandro Ferrucci
/>
<form-login login-page="/login" default-target-url="/welcome"
always-use-default-target="true"
authentication-failure-url="/loginfailed"
Post by Alessandro Ferrucci
/>
<logout delete-cookies="JSESSIONID" logout-success-url="/logout"
invalidate-session="true"/>
<session-management invalid-session-url="/login" />
</http>
public class AjaxAwareAuthenticationEntryPoint extends
LoginUrlAuthenticationEntryPoint {
public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
super(loginUrl);
}
@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {
String ajaxHeader = ((HttpServletRequest)
request).getHeader("X-Requested-With");
boolean isAjax = "XMLHttpRequest".equals(ajaxHeader);
if (isAjax) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Ajax
REquest Denied (Session Expired)");
} else {
super.commence(request, response, authException);
}
}
}
------------------------------------------------------------------------------
Post by Alessandro Ferrucci
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Springframework-user mailing list
https://lists.sourceforge.net/lists/listinfo/springframework-user
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Springframework-user mailing list
https://lists.sourceforge.net/lists/listinfo/springframework-user
--
Java Google Search Engine
http://www.google.com/coop/cse?cx=005506632761844726871%3Asmfqscqavok
Alessandro Ferrucci
2014-06-08 17:03:07 UTC
Permalink
You can unsubscribe yourself. Google how to.

Sent from my iPhone
Post by Gabriel Nascimento
remove me from this list
Post by Lachezar Dobrev
To work around this kind of problems I have added an instance of the
Remember-Me infrastructure that adds cookies with a session-only life.
That allows requests to be re-authenticated and re-authorised even if
the session has timed out.
Post by Alessandro Ferrucci
Hello,
I have a Spring MVC application which loads data dynamically through AJAX.
All AJAX entry points are protected and the user must be authenticated in
order to access the AJAX endpoints.
I need for my front end code to know when a session timeout occurs when an
AJAX request is made. I have implemented this using
LoginAuthenticationEntryPoint implementation and if the HTTP request
contains the "X-Requested-With header" with a value of "XMLHttpRequest", I
send back a 403 Error Code.
This works for the most part, the issue is that on the very first AJAX
Request, spring performs a redirect and I get a 302 followed by a redirect
to my login page, on all subsequent AJAX requests the correct 403 comes
back.
Below is the relevant Spring security config and the
AjaxAwareAuthenticationEntryPoint source.
Side Note: I have also tried this using the request matcher implementation
http://distigme.wordpress.com/2012/11/01/ajax-and-spring-security-form-based-login/
and I get the same exact results.
Any ideas?
Thanks!
Alessandro Ferrucci
<beans:bean id="authenticationEntryPoint"
class="mojo.ocs.web.AjaxAwareAuthenticationEntryPoint">
<beans:constructor-arg name="loginUrl" value="/login"/>
</beans:bean>
<!-- ENTRY POINT REF IMPLEMENTATION -->
<http auto-config="true" use-expressions="true"
access-denied-page="/accessdenied"
entry-point-ref="authenticationEntryPoint">
<intercept-url pattern="/login" access="isAnonymous()"/>
<intercept-url pattern="/loginfailed" access="isAnonymous()"/>
<intercept-url pattern="/welcome" access="isAuthenticated()" />
<intercept-url pattern="/" access="isAuthenticated()" />
<intercept-url pattern="/private_res/**" access="isAuthenticated()"
/>
<intercept-url pattern="/tne/**" access="isAuthenticated()" />
<intercept-url pattern="/team_reports/**" access="isAuthenticated()"
/>
<form-login login-page="/login" default-target-url="/welcome"
always-use-default-target="true" authentication-failure-url="/loginfailed"
/>
<logout delete-cookies="JSESSIONID" logout-success-url="/logout"
invalidate-session="true"/>
<session-management invalid-session-url="/login" />
</http>
public class AjaxAwareAuthenticationEntryPoint extends
LoginUrlAuthenticationEntryPoint {
public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
super(loginUrl);
}
@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {
String ajaxHeader = ((HttpServletRequest)
request).getHeader("X-Requested-With");
boolean isAjax = "XMLHttpRequest".equals(ajaxHeader);
if (isAjax) {
response.sendError(HttpServletResponse.SC_FORBIDDEN, "Ajax
REquest Denied (Session Expired)");
} else {
super.commence(request, response, authException);
}
}
}
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Springframework-user mailing list
https://lists.sourceforge.net/lists/listinfo/springframework-user
------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet
_______________________________________________
Springframework-user mailing list
https://lists.sourceforge.net/lists/listinfo/springframework-user
--
Java Google Search Engine
http://www.google.com/coop/cse?cx=005506632761844726871%3Asmfqscqavok
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Springframework-user mailing list
https://lists.sourceforge.net/lists/listinfo/springframework-user
Loading...