Spring2.5,Spring Security2.0.5, DWR app session timeout redirect

Hello,

I have a web application using Spring(version 2.5),Spring Security (version 2.0.5) and DWR.I am facing some issue when the session timeout.
On session timeout the application should redirect the user to login page.But that is not happening.When the timeout had occured and then the user clicks on any of the links in the application, the user is taken to the target page for the clicked link but with no data since the data is user specific and user id is not found in the session.In Spring Security 3.0 this feature is available readily.

But I have no option of upgrading either Spring/Spring Security presently.In such a case how can I redirect the user to a desired page when timeout occurs.I tried implementing a session timeout filter but I end up finding that it was actually a wrong approach.That filter was getting called up in the chain even when invalid session was found.

<?xml version="1.0" encoding="UTF-8"?>

<beans:beans xmlns="http://www.springframework.org/schema/security"
			 xmlns:beans="http://www.springframework.org/schema/beans"
			 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
			 xsi:schemaLocation="http://www.springframework.org/schema/beans 
								 http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
								 http://www.springframework.org/schema/security 
								 http://www.springframework.org/schema/security/spring-security-2.0.4.xsd">

<global-method-security secured-annotations="enabled">
        
    </global-method-security>
    
    <http auto-config="true">
        <intercept-url pattern="/" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/index.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/welcomeGuest.do" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
        <intercept-url pattern="/*.do" access="ROLE_ADMIN, ROLE_STANDARD"/>
        <intercept-url pattern="/*.dwr" access="ROLE_ADMIN, ROLE_STANDARD"/>
        <form-login login-page="/welcomeGuest.do" 
                    login-processing-url="/j_spring_security_check" 
                    default-target-url="/home.do"
                    authentication-failure-url="/welcomeGuest.do?login_error=1"/>
    </http>
    
     .....
</beans:beans>

Below is a portion from Spring Security logs.

12:51:22,240 DEBUG HttpSessionContextIntegrationFilter:255 - SecurityContextHolder now cleared, as request processing completed
12:58:59,834 DEBUG FilterChainProxy:205 - Converted URL to lowercase, from: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; to: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'
12:58:59,834 DEBUG FilterChainProxy:212 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /**; matched=true
12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 1 of 10 in additional filter chain; firing Filter: 'org.springframework.security.context.HttpSessionContextIntegrationFilter[ order=200; ]'
12:58:59,834 DEBUG HttpSessionContextIntegrationFilter:274 - No HttpSession currently exists
12:58:59,834 DEBUG HttpSessionContextIntegrationFilter:209 - New SecurityContext instance will be associated with SecurityContextHolder
12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 2 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.logout.LogoutFilter[ order=300; ]'
12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 3 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.webapp.AuthenticationProcessingFilter[ order=700; ]'
12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 4 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.basicauth.BasicProcessingFilter[ order=1000; ]'
12:58:59,834 DEBUG BasicProcessingFilter:115 - Authorization header: null
12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 5 of 10 in additional filter chain; firing Filter: 'org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter[ order=1100; ]'
12:58:59,834 DEBUG SavedRequestAwareWrapper:92 - Wrapper not replaced; no session available for SavedRequest extraction
12:58:59,834 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 6 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.rememberme.RememberMeProcessingFilter[ order=1200; ]'
12:59:00,038 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 7 of 10 in additional filter chain; firing Filter: 'org.springframework.security.providers.anonymous.AnonymousProcessingFilter[ order=1300; ]'
12:59:00,038 DEBUG AnonymousProcessingFilter:93 - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.providers.anonymous.AnonymousAuthenticationToken@69ec09e9: Principal: roleAnonymous; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@957e: RemoteIpAddress: 127.0.0.1; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
12:59:00,038 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 8 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.ExceptionTranslationFilter[ order=1400; ]'
12:59:00,038 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 9 of 10 in additional filter chain; firing Filter: 'org.springframework.security.ui.SessionFixationProtectionFilter[ order=1600; ]'
12:59:00,038 DEBUG FilterChainProxy:385 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr at position 10 of 10 in additional filter chain; firing Filter: 'org.springframework.security.intercept.web.FilterSecurityInterceptor@2eb6e9'
12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:196 - Converted URL to lowercase, from: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; to: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'
12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /; matched=false
12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /index.jsp; matched=false
12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /welcomeguest.do; matched=false
12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /uploadimage.do; matched=false
12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /forgotpassword.do; matched=false
12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /resetpassword.do; matched=false
12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /*.htm; matched=false
12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /*.do; matched=false
12:59:00,038 DEBUG DefaultFilterInvocationDefinitionSource:224 - Candidate is: '/dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr'; pattern is /*.dwr; matched=false
12:59:00,038 DEBUG AbstractSecurityInterceptor:241 - Public object - authentication not attempted
12:59:00,038 DEBUG FilterChainProxy:374 - /dwr/call/plaincall/YGUserService.invokeGetHomePageLeftPaneContent.dwr reached end of additional filter chain; proceeding with original chain
12:59:00,194 DEBUG ExceptionTranslationFilter:104 - Chain processed normally
12:59:00,194 DEBUG HttpSessionContextIntegrationFilter:389 - SecurityContext contents are anonymous - context will not be stored in HttpSession. 
12:59:00,194 DEBUG HttpSessionContextIntegrationFilter:255 - SecurityContextHolder now cleared, as request processing completed

Kindly guide me in achieving the desired result.

Hi,

Is there no one who can help me resolve this issue?

In the DWR code : /dwr/call/plaincall/yguserservice.invokegethomepageleftpanecontent.dwr
Can't you check for HttpSession==null and redirect to login page as the first line of code?