JSF 2, Spring Security 3.x and Richfaces 4 redirect to login page on session time out for ajax requests

Question

It seems a very common problem. But I couldn't find any working solution. We are using Richafaces 4, Myfaces 2.0.5 and Spring security 3.0.X.

On session time for ajax/non ajax requests, the user should be redirected to log in page.after logging back he should be shown the previously performed ajax/non ajax operation.

We are not facing any issue with non ajax requests. But for ajax requests, the user is not redirected to log in page.

I have followed this link https://community.jboss.org/message/729913#729913 and implemented servlet approach. the solution worked in Firefox, not in IE 8.

There could be one more problem even if it is properly redirected to log in page on session time out. I am expecting a ViewExpiredException on successful login for the previously invoked ajax request.

I wanted to bring the ViewExpiredException, since both these problems could be related each other.

Any solutions/leads will be appreciated.

Answer 1

Since you use Spring Security 3.0.x, you can use custom sessionManagementFilter as described here

The class com.icesoft.spring.security.JsfRedirectStrategy is available here

If you are using Spring Security 3.1.x make these changes

 <beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
            <!-- this permits redirection to session timeout page from javascript/ajax or http -->
    <beans:property name="invalidSessionStrategy" ref="jsfRedirectStrategy" />
</beans:bean>

<beans:bean id="jsfRedirectStrategy" class="com.icesoft.spring.security.JsfRedirectStrategy">
  <beans:constructor-arg name="invalidSessionUrl" value="/general/logins/sessionExpired.jsf" />
</beans:bean>
<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

The only change to the JSFRedirectStrategy class are the first few lines:

public class JsfRedirectStrategy implements InvalidSessionStrategy {
protected final Log logger = LogFactory.getLog(getClass()); 
     private String invalidSessionUrl;
private boolean contextRelative;

public JsfRedirectStrategy(String invalidSessionUrl){
    this.invalidSessionUrl=invalidSessionUrl;
}

@Override
public void onInvalidSessionDetected(HttpServletRequest request,
        HttpServletResponse response) throws IOException, ServletException {
    String redirectUrl = calculateRedirectUrl(request.getContextPath(), invalidSessionUrl);

This works with IE8 also. If you are interested you can look at this blog also, but I never tried this as the above was much easier.

FYI: If you do not do Spring there are many ways to do this: Primefaces does this on their site. link Or even simpler by importing Omnifaces jar link