Spring boot security does not redirect after session expires

Question

I have been using spring boot, with spring security and Ext Js as frontend. I added this piece of code as configuration for spring security. It means that, when the session expires the user will be redirected to the referenced url, right?

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and()
            .authorizeRequests().antMatchers("/", "/login/**").permitAll().and()
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .loginProcessingUrl("/userAuth")
            .permitAll()
            .and()
            .logout()
            .permitAll()
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/**").permitAll();

            http.csrf().disable();
            http.headers().frameOptions().disable();

            http.sessionManagement().maximumSessions(1).expiredUrl("/login?logout");
}

Everytime my frontend sends an ajax request to spring, and the user has lost session, spring turns the request into a get request to /login?logout, as to be expected, but the page does not get redirected. All I can see is the login page on the response content of the request, without any effect on the page the user is seeing.

Why does this happen? Am I missing any configuration or implementation here?

EDIT: Here is what my Ext Js for the AJAX request looks like:

onAuthCheck: function (users) {

    var result = Ext.Ajax.request({
        url: '/Queue/requests/loginCheck',
        method: 'POST',
        async: false,
        params: {
            usersInfo: Ext.encode(users)
        },
        success: function (conn, response, options, eOpts) {
            console.log(response)
            console.log(conn.status);
            if (conn.status === 401 || conn.status === 302) {
                location.href='/login?logout';
           }
        },
        failure: function (conn, response, options, eOpts) {
            console.log(response)
            console.log(conn.status)
            if (conn.status === 401 || conn.status === 302) {
                location.href='/login?logout';
           }
        }
    })
    return (Ext.JSON.decode(result.responseText, true).success);
},

EDIT2: Here is what my request looks like: It has a request with status 302, and still Im getting 200 status on my AJAX response on JS code.

This is correct behavior as you use AJAX. I Guess you are seeing the redirected page (loginpage) in the Ajax Response. — Sunchezz, May 15 '19 at 14:24
You might be getting an invalid session instead of expired. Try .invalidSessionUrl() instead (or even as well) — Kieveli, May 15 '19 at 14:29
@Kieveli I will try that, thank you. But I think it is the AJAX request thingy. — Gabriel Robaina, May 15 '19 at 15:23
Possible duplicate of https://stackoverflow.com/questions/7524039/problems-with-xmlhttprequest-status-302 — dur, May 15 '19 at 19:07
Possible duplicate of https://stackoverflow.com/questions/24816478/how-can-i-spot-a-302-response-in-sencha-touch-ajax-request — dur, May 15 '19 at 19:12
Possible duplicate of https://stackoverflow.com/questions/8238727/how-to-prevent-ajax-requests-to-follow-redirects-using-jquery — dur, May 15 '19 at 19:16
Actually found a good answer on @dur's link of a similar question. Will get back to you when I test it out to see if it solves the problem. — Gabriel Robaina, May 27 '19 at 16:52

Sunchezz · Answer 1 · 2019-05-15T15:21:50.107

1

Short and simple Answer:

Because you are submitting your request by AJAX, the Response is not "affecting" your current loaded page.

To be more precise:

Most Browser (all i know) only redirect (respect the location header), if an HTTP Redirect Code (301, 302, 303) is found in the response header. So technically, if spring would send an 302 http status code along with the authentication url, the browser would switch the location.

As far as i know, Spring sends a 302 IF it is a GET-Request

A simple Solution:

This is one way to go by Javascript and JQuery: Check the result of your ajax response. (This is just an example to give you a direction, there will be more solutions.

    $.ajax({
        type: 'POST',
        url: '/url',
        success: function (result, status) {
            if (result.status === 401) {
                 location.href='/login?logout';
            }
        }
    });

edited May 15 '19 at 15:21

answered May 15 '19 at 14:35

Sunchezz

740
6
21

It does not work... Currently I am getting an HTTP 200 response on the ajax request on every request (even those that wont go through because of the session expiration). When I check the response status no network tab it shows 302, but the JS catches 200 for every request. – Gabriel Robaina May 15 '19 at 15:20
Hm, i really don't know whats happing there. try to use another framework for ajax, i never worked with extJS. – Sunchezz May 15 '19 at 17:13
I know its late but still... You are getting 200 response as the first 302 response will have a redirect url which is returning 200. I was also facing this issue, solved it using https://stackoverflow.com/questions/23901950/spring-security-ajax-session-timeout-issue – Pinaki Feb 05 '20 at 13:19

score 0 · Answer 2 · answered Apr 27 '21 at 10:25

0

You can write this function, it will be fired everytime an ajax request is called.

$(document).ajaxComplete(function(result, status) {
    if(status.status == 401){
        location.href = "/login?logout";
    }
});

answered Apr 27 '21 at 10:25

Guglielmo Tarchi

23
1
5

Spring boot security does not redirect after session expires

2 Answers2

Short and simple Answer:

To be more precise:

A simple Solution: