This week's book giveaway is in the OCAJP 8 forum. We're giving away four copies of OCA Java SE 8 Programmer I Study Guide and have Edward Finegan & Robert Liguori on-line! See this thread for details.
i have a little problem with JSF 2.0 and SessionTimeouts while AJAX-Requests in a JAAS secured Web Application.
Target: Redirect to Login-Page on SessionTimeouted-Ajax-Call
My idea was to implement a PhaseListener to detect if there is an SessionTimeout. The Problem in this case is: i am using JAAS to authenticate the user.
In "normal" requests, the user gets automatically redirected to the login-page if he isn't authenticated any more.
In an Ajax-Case this doesn't work of course. The Problem looks like this:
1. Ajax-Call to an page page.xhtml to do an partial rerendering
2. the security layer detects that there is no authentication, and redirect to login.xhtml
3. jsf seems not detecting this issue and gives an empty response to the ajax-caller
!on jsf side i have no chance to detect the authentication fails-redirect:
- a valid (new) session is linked before.
- - in this new Session there is no principal defined, but i can't detect any more if it is because of an initial call or an ajax-request because
> jsf gets an normal request, not declared as ajax-request
> jsf gets an normal request for the login page, not the original page
This is a nasty one. The one great big gaping hole in JSF is its poor handling of session timeouts. Some improvements have been made for JSF2, but there's still a long ways to go, even for page views.
I had an interesting discussion several months back with Lincoln Baxter (author of PrettyFaces) about the special problems that AJAX requests have with session timeouts. We decided that it's not pretty and there's no easy solution in sight.
I think you mean "container-managed" authentication, not JAAS, and yes, that's even worse, since application code doesn't get invoked at all when a session has expired. Which means that your AJAX client would need to detect that a j_security_request form had been returned instead of the content you'd been expecting and THEN, once you detected it, you'd have to figure out how to deal with the situation.
An IDE is no substitute for an Intelligent Developer.