I have a JRuby on Rails application using a lot of Ajax GET calls. The result is inserted in the HTML page. If the session times out, the resulting html is the login page. This login page is then inserted into the current HTML page. Instead, a redirect to the login page should happen...
How is this problem generally tackled?
You can't catch the 302 because browsers hide that from you - your ajax request just sees the final request.
When this has been an issue I usually change my login code such that if access is attempted to a restricted page by a non logged in user, and the request is an ajax request I render a special status code (usually a 4xx code). Check for that status code in your ajax request handlers (depending on jour ajax library, you can usually set up a global handler) and if you see it, redirect the user to the login page.
Related
how does it really works?
I wrote a sample app using spring boot with security and thymeleaf.
As [tutorial]: http://www.thymeleaf.org/doc/articles/springsecurity.html shows ones just need to create controller and login page. But...
In security config there is fragment as
loginPage("/login.html")
then in controller there is request mapping for /login like
#RequestMapping("/login.html")
public String login() {
return "login.html";
}
and then in thymeleaf page there is action mapping like
<form th:action="#{/login.html}" method="post">
So..when ones try to access restricted page is redirected to login page which means that login.html is displayed. Then after filling the form user clicks the button and trigger action which is mapped on controller that returns login.html once again. Looks like a loop. But it works. How??
I think I see the confusion here. In recent versions of Spring Security, it is possible and even encouraged by default that the login page and login processing URL are the same address (but they don't need to be). This is possible because of different HTTP methods.
When redirected to login page, the page is retrieved using a GET request. The authentication filter sees this, but passes on the request to Spring MVC and the controller, since it is a GET request.
When submitting the form, the username and password are sent in a POST request. The authentication filter intercepts this request since it is POST, performs the authentication and takes action depending on the result. The request is not forwarded to the controller in this case.
I have an application that is wired with Spring 3.1 authentication. I have some pages which makes AJAX requests to show some information on the dialog. Now, if the user's session has timed out, the Spring redirects to the login page. I don't want an AJAX based login page. I would like the user to be navigated to the login page entirely, by canceling current operation. Once user logs in, navigate user back to the last page where he was (from where the AJAX request was made).
The redirection stuff works fine if the request is made from a page.
The class which performs the redirect to the login page is the LoginUrlAuthenticationEntryPoint. I would write a customized AuthenticationEntryPoint implementation which detects the Ajax request (for example, by looking at the Accept header), and sends an error code instead of performing a redirect.
You'll still have to detect this on the client side though. There's not much Spring Security can do there, but you should be able to reload the current page from Javascript, which will force a login, followed by a redirect to the original page (default Spring Security behaviour).
I need some help to implement facebook authentication. I'm doing this sample:
http://csharpsdk.org/docs/web/getting-started
and it works fine, I can get the access token and get user's info. But my problem is because javascript start a loop of http post's, because he's executing the javascript who invokes the handler, so infitly redirect for my page.
So I have Main.aspx and is there where I have the javascript implemented and all my main content, if my handlrer redirect to Main.aspx he enter in loop, if I redirect the handler to SecondPage.aspx he stops the loop, but if i click go back to Main.aspx(or someone else where i've the javascript) he redirect to second...
The issues is that you are redirecting back to your original page from your ashx handler page and when you do that your JavaScript is executing again and hence submitting another Post to the server which in turn calls your ashx handler page again. So you end up in an infinite loop. But when you redirect to a different page from your ashx handler page then the JavaScript that authenticates your user does not execute and does not send another Post.
I ran into this same problem myself and came up with a fairly simple solution which I posted on a different thread dealing with the same issue. you can find the answer on this thread.
On a side note, I continued to research this and found a great solution that allows me to do this all server side instead of using the JavaScript SDK, so I'm not sure it would be of interested to you since your post was about "How to make HTTP POST facebook authentication" but in case you are, the link gives a solution dealing with an ASP.NET app that is not written using MVC. Getting Started With The Facebook C# SDK
I have an ASP.Net MVC application. I am using an AJAX request on a page which requires user authentication to fire an action on another controller, which returns a view to update a table on the page. The action that the AJAX request makes also requires authentication. The issue comes up when the user lets their session timeout and then does something to fire the AJAX request. The entire page does not redirect to the login page. Instead, the view returned to the AJAX request is the login page, which then is populated inside the div meant for the refreshed data table.
Is there a way to at least have the request return an error message instead of the login view?
Sure, you could create your own Authorize attribute and check if HttpContext.Current.Request.Headers["XMLHttpRequest"] then return error message else redirect to login page
I'm using ASP.Net MVC beta 1 and I'm using the asp.net membership provider with the standard authentication controller to restrict access to my site.
I'm using ajax functionality to provide e.g. editing of values by loading partial views into a div with either jQuery $.get/$.ajax or with the Ajax.Actionlink MVC helper. This all works fine most of the time.
My problem comes once the login times out and you click on one of the ajax edit links - the ajax call returns the login page which is put into the div normally used for the edit form.
I want to find a way to redirect the whole page to the login form, when the authentication has timed out and an ajax link is clicked.
One way I can think of is looking at the html returned from the ajax call in the response callback and searching for the 'login' text or form field and doing a redirect from there - but this doesn't feel very clean - is there a better way?
This might help some:
Bypass Forms Authentication auto redirect to login, How to?
From the above answer it looks like http 403 isn't intercepted by Forms Authentication, so you can roll your own ActionFilter that returns an http 403 response if its an Ajax Request and Authorization failed.
On the client side, you could then check the response code for 403, and redirect to the appropriate login url.
There are probably other ways to do this as well!