2

When session time outs and the client does an Ajax partial rendering, Spring Security redirects to logOn page but the redirect is catched by the HttpXMLRequest and nothing happens, as expected but not desired.

Spring config:

<sec:session-management invalid-session-url="/page/start.jsf">
    <sec:concurrency-control max-sessions="1" error-if-maximum-exceeded="true"/>
</sec:session-management>

Firebug shows Ajax comunication: enter image description here

jlvaquero
  • 8,571
  • 1
  • 29
  • 45
  • This is a common problem amongst all session based web applications utilizing Ajax communication. Perhaps it will be possible in javascript to keep a timestamp and then set a timer to display a session timeout message after the desired period of time. The challenge is to update the client timer after every asynchronous post back to the server. – maple_shaft Jan 26 '12 at 13:56

1 Answers1

2

To redirect a jsf ajax request you need xml as follows

<?xml version="1.0" encoding="UTF-8"?>   
<partial-response>  
      <redirect url="XXX">  
      </redirect>  
</partial-response>

Here XXX is url you want redirect to happen.

On ajax call redirect sent by spring security is not as above hence no redirect or expected result.

To get the desired result have a filter for all jsf request expect login page and check session is valid and if it is really jsf ajax call by checking header "Faces-Request", its value should be "partial/ajax". If session has expired and is ajax request send above xml as response.

It should work.

This link @ SO might give you help with spring security code if filter not desired.

Community
  • 1
  • 1
baba.kabira
  • 3,111
  • 2
  • 26
  • 37