I have an application that is wired with Spring 3.1 authentication. I have some pages which makes AJAX requests to show some information on the dialog. Now, if the user's session has timed out, the Spring redirects to the login page. I don't want an AJAX based login page. I would like the user to be navigated to the login page entirely, by canceling current operation. Once user logs in, navigate user back to the last page where he was (from where the AJAX request was made).
The redirection stuff works fine if the request is made from a page.
The class which performs the redirect to the login page is the LoginUrlAuthenticationEntryPoint. I would write a customized AuthenticationEntryPoint implementation which detects the Ajax request (for example, by looking at the Accept header), and sends an error code instead of performing a redirect.
You'll still have to detect this on the client side though. There's not much Spring Security can do there, but you should be able to reload the current page from Javascript, which will force a login, followed by a redirect to the original page (default Spring Security behaviour).
Related
how does it really works?
I wrote a sample app using spring boot with security and thymeleaf.
As [tutorial]: http://www.thymeleaf.org/doc/articles/springsecurity.html shows ones just need to create controller and login page. But...
In security config there is fragment as
loginPage("/login.html")
then in controller there is request mapping for /login like
#RequestMapping("/login.html")
public String login() {
return "login.html";
}
and then in thymeleaf page there is action mapping like
<form th:action="#{/login.html}" method="post">
So..when ones try to access restricted page is redirected to login page which means that login.html is displayed. Then after filling the form user clicks the button and trigger action which is mapped on controller that returns login.html once again. Looks like a loop. But it works. How??
I think I see the confusion here. In recent versions of Spring Security, it is possible and even encouraged by default that the login page and login processing URL are the same address (but they don't need to be). This is possible because of different HTTP methods.
When redirected to login page, the page is retrieved using a GET request. The authentication filter sees this, but passes on the request to Spring MVC and the controller, since it is a GET request.
When submitting the form, the username and password are sent in a POST request. The authentication filter intercepts this request since it is POST, performs the authentication and takes action depending on the result. The request is not forwarded to the controller in this case.
I have a search controller which lists search results for users. For anonymous users (not logged in) I want to display the page as http.
For logged in users (authenticated) I want to display the page as https. The reason being is authenticated users will see an additional link in their search results. The link pops up a modal dialog form that needs to send a secure form.
I'm using grails 2.2 and spring security plugin 2.0. I haven't found anything in the spring security config files. It looks like a page can be https or http, but not rendered either way depending on some condition.
I prefer not to do all https for performance reasons. How could I do this, with some type of filter?
I'm using Grails and Spring Security. Some methods of the controller are annotated with #Secured and when the logged in user doesn't have the necessary roles I want him to be redirected to the last visited page instead of to /login/denied.
I guess that the real question is how to get the last page visited so that I can redirect him accordingly from the denied method?
There is a way to do this in JavaScript, using back button, but I am looking for a way to achieve this on the server side.
maybe you could use an interceptor to store the history of you views and then with an accessDeniedHandler redirect to the previous one
I have a legacy asp.net web form web site, it uses forms authentication. Now, I have the requirement to create a new sub MVC application in the web site. My new application is most likely a SPA that means most actions are done through Ajax. Everything works fine until session time out, because once time out, my background Ajax returns the content of form login page instead of my json data. This is correct session behavior, but how can I know session time out in ajax and then redirect the page to login page?
You can trap the failure of your AJAX calls and look for 401 result, which means that the request was not authorised.
I'm assuming you're using Web API for your service calls here - if you're calling methods on your normal MVC controller you'll need to do a little bit of work to ensure unauthenticated requests return 401 instead of redirecting you to the login page.
I have a JRuby on Rails application using a lot of Ajax GET calls. The result is inserted in the HTML page. If the session times out, the resulting html is the login page. This login page is then inserted into the current HTML page. Instead, a redirect to the login page should happen...
How is this problem generally tackled?
You can't catch the 302 because browsers hide that from you - your ajax request just sees the final request.
When this has been an issue I usually change my login code such that if access is attempted to a restricted page by a non logged in user, and the request is an ajax request I render a special status code (usually a 4xx code). Check for that status code in your ajax request handlers (depending on jour ajax library, you can usually set up a global handler) and if you see it, redirect the user to the login page.