Announcement Announcement Module
No announcement yet.
requestCache null when using session-management -> invalid-session-url Page Title Module
Move Remove Collapse
This topic is closed
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • requestCache null when using session-management -> invalid-session-url

    I'm using the following config:

    <http auto-config="false" use-expressions="true" entry-point-ref="loginUrlAuthenticationEntryPoint">
    	<session-management invalid-session-url="/login.htm?sessionTimeout=true" /> 
    	<intercept-url pattern="/login.htm**" filters="none" />
    	<intercept-url pattern="/**" access="isAuthenticated()" />
    	<!-- FORM_LOGIN_FILTER-->
    	<custom-filter position="FORM_LOGIN_FILTER" ref="customUsernamePasswordAuthenticationFilter" />
    Two of the filters auto-created by <http> are:
    SessionManagementFilter, which calls ExceptionTranslationFilter.

    ExceptionTranslationFilter is the one that populates the requestCache, via:

    protected void sendStartAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain,
                AuthenticationException reason) throws ServletException, IOException {
            requestCache.saveRequest(request, response);
    BUT, this code never gets called when the invalid-session-url is defined, since in that case the SessionManagementFilter performs a redirect BEFORE calling the ExceptionTranslationFilter:

    if (invalidSessionUrl != null) {
    	redirectStrategy.sendRedirect(request, response, invalidSessionUrl);
    chain.doFilter(request, response);
    Shouldn't the SessionManagementFilter populate the request cache before calling the redirect?

  • #2
    The invalid-session-url implies that the previous session has expired and the user should start again. There's no connection with the RequestCache which is used for restoring a request after a user has logged in.


    • #3

      Thanks for the reply Luke, I see you're the author of a bunch of these classes.

      Wouldn't you agree it's a common use case?
      1 - user's session times out
      2 - they are redirected to login with the message "Sorry your session expired."
      3 - After they login, they are taken back to original GET request

      When I leave everything to defaults (and don't set the invalidSessionUrl), I get sent back to the original page stored in the RequestCache, but the login page isn't notified that a session expired.

      When I set the invalidSessionUrl, I notify the login page that a session expired, but I don't have a way to get back to my original page.

      One way to implement this would be to append the original request URL as the targetUrlParameter in the invalidSessionURL. So I could define my sessionInvalidURL to be "/login.htm?error=sessionExpired&targetUrl=${origina lUrl}".


      • #4
        You could certainly customise it like that if you wish, but I don't think it should work that way by default. When a session expires you can't know that it is safe to continue with the requested URL as some required state may have been lost along with the session. It may be OK in your particular case, but it's not a safe assumption in general.