0

I use Spring Security 3.2.1 to secure a Spring MVC application deployed to Tomcat.

When a web session expires, Spring Security automatically redirects the user to the login page. However, some of my AJAX requests use PUT, POST and DELETE methods. When one of those requests gets redirected, FireFox shows this dialogue (other browsers behave differently):

enter image description here

This is normal behaviour for a redirect with 302 status code according to the HTTP/1.1 specification which says:

If the 302 status code is received in response to a request other than GET or HEAD, the user agent MUST NOT automatically redirect the request unless it can be confirmed by the user...

I would like to rid of the dialogue. I think, the dialogue would not appear if Spring Security used a response with 303 status code (not 302). How can I change the status code to 303?

Alexey
  • 2,542
  • 4
  • 31
  • 53
  • My own solution: define a separate realm (`` tag) for your AJAX URIs, and configure it to use basic HTTP authentication only (see [this answer](http://stackoverflow.com/a/11968411/2842067) but do NOT use `create-session="stateless"`). When a session expires you will get 401 response which can be intercepted on the client side. However, the browser will prompt for a login and password - see [this answer](http://stackoverflow.com/a/9872582/2842067) (with comments) or [this post](http://loudvchar.blogspot.ca/2010/11/avoiding-browser-popup-for-401.html) for a solution. – Alexey Jun 24 '14 at 05:59

1 Answers1

2

1) RFC 2616 is obsolete. The text in the current spec reads (http://svn.tools.ietf.org/svn/wg/httpbis/specs/rfc7231.html#rfc.section.6.4):

The 3xx (Redirection) class of status code indicates that further action needs to be taken by the user agent in order to fulfill the request. If a Location header field (Section 7.1.2) is provided, the user agent MAY automatically redirect its request to the URI referenced by the Location field value, even if the specific status code is not understood. Automatic redirection needs to done with care for methods not known to be safe, as defined in Section 4.2.1, since the user might not wish to redirect an unsafe request.

2) Firefox is in the process of removing these prompts. See https://bugzilla.mozilla.org/show_bug.cgi?id=677754

3) Whether 303 is more appropriate than 302 really depends on what the semantics of the redirect are.

Julian Reschke
  • 40,156
  • 8
  • 95
  • 98
  • +1 for the clarification. I did not know that the specification had changed recently. But I need to fix the problem in the current version of FireFox. – Alexey Jun 21 '14 at 09:44
  • Alexey: or you can already change this in the Firefox config; or just wait for ~18 weeks. – Julian Reschke Jun 21 '14 at 10:37