Announcement Announcement Module
Collapse
No announcement yet.
Re-login after timeout restarts timedout-request Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Re-login after timeout restarts timedout-request

    Hi everyone,

    I have an application using spring 3.1 and spring security

    In my web.xml I have
    Code:
    <session-config>  
            <session-timeout>15</session-timeout>  
    </session-config>
    and in my application-security.xml
    Code:
    <http auto-config="true">
        	<!-- intercepted urls to check for user rights -->
            <intercept-url pattern="/login.html" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <intercept-url pattern="/**" access="ROLE_USER" />
            
            <!-- login form -->
            <form-login login-page="/login.html" 
            			default-target-url="/welcome.html" 
            			authentication-failure-url="/login.html?error=bad-credentials" />
    	<logout logout-success-url="/login.html" invalidate-session="true"/>
    	<remember-me user-service-ref="customAuthenticationProvider"/>
    	<access-denied-handler error-page="/login.html?error=access-denied"/>
    </http>
    which works great and redirects to my login form after timeout. It's interesting to notice here, though, that the timeout doesn't redirect to the application entry point (index.jsp which forwards to j_spring_security_logout and goes back to the login page) but directly to the login page (I don't understand why as, for me, the timeout is not handled by spring, maybe I am mistaken).

    Anyway, when there is a timeout and the user tries to launch a request (for example: upload a file), then the user is redirected to the login page, then the user types his credentials and timed-out request is launched back again.

    My problem is that when it's this "upload a file"-request, an http-error-405 is triggered when the user logs back in. Apart from this error, I don't want to keep track of the timed-out request and just go back to the welcome page at anytime.

    Any ways of doing that? or maybe forcing the complete logout when there is a time out?

    Thanks/Regards
    Antoine

  • #2
    It seems, I have found a solution, modifying this
    Code:
    <http auto-config="true">
        	<!-- intercepted urls to check for user rights -->
        	<intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <intercept-url pattern="/login.html" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <intercept-url pattern="/resources/**" access="IS_AUTHENTICATED_ANONYMOUSLY" />
            <intercept-url pattern="/**" access="ROLE_USER" />
            
            <!-- login form -->
            <form-login login-page="/index.jsp" 
            			default-target-url="/welcome.html" 
            			authentication-failure-url="/login.html?error=bad-credentials" />
    	<logout logout-success-url="/login.html" invalidate-session="true" />
    	<remember-me user-service-ref="customAuthenticationProvider"/>
    	<access-denied-handler error-page="/login.html?error=access-denied"/>
    		
    </http>
    My index.jsp was actually never called, spring seem to override the application entry point defined in the web.xml.
    So I added it to the intercepted URLs and made it my login form address.
    That way:
    if the user enters the application (application url without servlet) or has a timeout: it is forwarded to j_spring_security_logout, logged out and redirected to the login form. That way I'm sure that the timedout request won't be executed.

    (I'll probably add an index.html controller) that checks if the session is valid or not and either forwards to my welcome page or the login form when the user enters the application so, erasing the servlet address wouldn't logout the user.

    Anyway, if anyone has a better solution, please let me know, else it works fine.

    Comment

    Working...
    X