Ajax and form authentication

Question

I am trying to implement form authentication in my ajax application. The problem I have is that when the session expires I get 302 code which redirects me to a login page I specified in web.xml (and it messes everything up refreshing the whole app to login page).

What I want to do is to get a "not authenticated" (401) code, then display the login form in a popup window and when the login is successful continue with what I was doing.

here is a picture of what is going on:

and the docs http://docs.oracle.com/javaee/1.4/tutorial/doc/Security5.html

basically, I want to display the popup instead of redirect to login page and then don't do the redirect to the resource but do my update in AJAX way. From what I understand it couldn't be done only on the client side since the redirect can't be avoided (see here: redirect info), I would need to write some kind of logic on the server to prevent redirect, see here for detail about doing it in IIS: IIS implementation

P.S. So far this: http://www.oracle.com/technetwork/articles/entarch/session-lifecycle-096133.html looks like the most promising way to implement it. The class is deprecated, but I can't find the new one and think it's the only way to do it for Weblogic.

I'm not sure how the web.xml file you're talking about works, but if all it does is check the session and redirect if it's expired, could you not write that logic manually on the page in question? — mowwwalker, Nov 19 '12 at 18:17
I don't want to write my own logic that checks for the authentication/session expiration, I want to use what's available for web apps in the web container — Roman Goyenko, Nov 19 '12 at 19:25
Are you using Servlet 3.0? The prehistoric J2EE tutorial link and the Weblogic tag suggests not, but just asking to be sure because this is possible using the new API facilities in Servlet 3.0. You'd otherwise need to fall back to container-specific hacks/workarounds (which I think is unfortunately hard to get an answer for Weblogic as the community support for this closed-source container is pretty low; best what you could get is most likely homebrewing authentication or adopting a more flexible authentication framework such as Spring Security or Apache Shiro). — BalusC, Nov 19 '12 at 19:38
BalusC, I looked at the Spring Security and so far it looks similar to what JAAS form authentication offers for my purposes, maybe you have a link to example how to make AJAX authentication request when the session expires? — Roman Goyenko, Nov 19 '12 at 21:09
@RomanHoyenko Have you tried to implement a filter on the URLS? In the filter you could catch the session expiration and return a desired response code along with a response body which will indicate that a session expiration occured. — Apostolos Emmanouilidis, Nov 19 '12 at 21:35
@Tolis I found this: http://www.oracle.com/technetwork/articles/entarch/session-lifecycle-096133.html but the class is deprecated there. Do you know which filter should I use? — Roman Goyenko, Nov 19 '12 at 22:49
Roman, I have no idea. I don't do Spring. @Tolis: webapp-registered filters are (for obvious security reasons) **not** invoked on `j_security_check`. Requests on `j_security_check` are handled and forwarded entirely internally in the servletcontainer, before the request ever hits the webapp. — BalusC, Nov 20 '12 at 02:58

score 1 · Answer 1 · answered Nov 21 '12 at 13:15

This is not an easy way but still it works

You have a form in your page which is filled by the user.

User clicks submit button.

An ajax request is sent to the server.

The server side implementation can check whether session exists or not. and accordingly you can send a response code 401..(response.setStatus());

This 401 can be checked in client side using ajax --- xhr.status

If response is 401 you can show the login form and hide the current form. using js and css.

User fills in the login details and clicks submit..

You can do the same server side check and client side check for the status of that login request.

if login is successful then you can you can submit the first form using ajax or js..

I don't think my server-side code runs after session expired, so I can't check anything in the code or set status. — Roman Goyenko, Nov 21 '12 at 15:30
Oh yes it should. Any technology I have worked on, let's you either override the timeout behavior, or subscribe to the session timeout event. — Tengiz, Nov 26 '12 at 16:06

score 1 · Answer 2 · answered Nov 26 '12 at 13:00

1

You may need to use servlet authentication filters as described in weblogic.xml Deployment Descriptor Elements

Below tutorials may help you:
oracle Servlet Authentication Filters
Using servlet filters for user authentication
Writing Servlet Filters

answered Nov 26 '12 at 13:00

Chandra Sekhar

16,256
10
67
90

Not the complete answer, but I guess it's the only sensible way, I'll look into how to implement it, thanks! – Roman Goyenko Nov 26 '12 at 17:00

score 0 · Answer 3 · answered Nov 24 '12 at 16:09

0

You could use a heartbeat checking with an ajax request to your server to any resource that needs to be authenticated to get it.. if you cannot receive this resource so means that youre not logged in.. so you could send another authentication request an go on with your rendering..

see this article.. http://ajaxpatterns.org/archive/Heartbeat.php

so your checking routine of authentication would be implemented..

answered Nov 24 '12 at 16:09

thiagoh

7,098
8
51
77

But the heartbeat would extend the session if I do it often enough. I could probably do a "test" message before every submit, not sure it's the best approach. – Roman Goyenko Nov 25 '12 at 23:58

score 0 · Answer 4 · answered Nov 24 '12 at 19:31

You need to push to page and not poll. So you need Strophe and your session handler connected. When session expires signal is sent to Strophe instance that is running in your web app and after that it is easy to do popup or whatever. For all real time stuff I am using Strophe!

This is book on this metter and this is link for Strophe, also this is link of php xmpp class.

It will take you couple of days to figure out this but it is couple of days well spent! If you read carefully book and go to examples, with just basic javascript/jquery understanding you will be able to develop powerful web apps.

score -1 · Answer 5 · answered Apr 17 '13 at 08:36

I know you're trying to do FORM authentication with you ajax application but is it really needed?

BASIC authentication works simpler and transparently for ajax requests as it is handled by the browser, not by your app. But I admit/understand that a popup is ugly.

Ajax and form authentication

5 Answers5