Announcement Announcement Module
No announcement yet.
Spring Security + JSF + view expired + ajax Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security + JSF + view expired + ajax

    Hi everybody,

    we are doing an app with Spring Security and JSF2 (among other things).

    Now, the user logs in, suppose he is away and his session is expired.
    He then tried to click on JSF button resulting in ajax request.
    Obviously gets "Access Denied" and should be redirected to a "access denied page" (login in my case).

    Spring logs says everything is just fine, Access Denied, redirect, everything OK.
    But the browser DO NOT DO A SINGLE THING.
    Using Firebug I see the URL for the ajax POST has been moved(302, thats correct) and request to my login page was initiated (using GET, obviously).
    But this request never completes and browser is never redirected !

    After some googling I found that since its still processing ajax request the redirect wont work(they say ajax dont know what to do with it coz it expects ajax response, not HTTP redirect - im tryng to stay away from JavaScript so pardon my lack of knowledge).

    The solution people are posting is to check if request is ajax and if so send redirect in XML, if not send usual HTTP one.

    This could be easily done (at least I think so) in custom implementation of RedirectStrategy.

    But the strategy is used in AuthenticationEntryPoint (LoginUrlAuthenticationEntryPoint in my case) and this class do not support injection of custom strategy (marked as final).

    Is my approach wrong in general ?
    If not, why is the redirect strategy defined as final ? (I can work it out with my custom AuthenticationEntryPoint but im not feeling good about it for some reason)

    Thanks for any pointers.