jQuery in Action, 2nd edition*
The moose likes JSF and the fly likes SessionTimeOut Handler with Ajax Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » JSF
Bookmark "SessionTimeOut Handler with Ajax" Watch "SessionTimeOut Handler with Ajax" New topic
Author

SessionTimeOut Handler with Ajax

Dominik Müller
Ranch Hand

Joined: Apr 28, 2009
Posts: 36
Hi together,

i have a little problem with JSF 2.0 and SessionTimeouts while AJAX-Requests in a JAAS secured Web Application.

Target: Redirect to Login-Page on SessionTimeouted-Ajax-Call

My idea was to implement a PhaseListener to detect if there is an SessionTimeout. The Problem in this case is: i am using JAAS to authenticate the user.
In "normal" requests, the user gets automatically redirected to the login-page if he isn't authenticated any more.

In an Ajax-Case this doesn't work of course. The Problem looks like this:

1. Ajax-Call to an page page.xhtml to do an partial rerendering
2. the security layer detects that there is no authentication, and redirect to login.xhtml
3. jsf seems not detecting this issue and gives an empty response to the ajax-caller

!on jsf side i have no chance to detect the authentication fails-redirect:
- a valid (new) session is linked before.
- - in this new Session there is no principal defined, but i can't detect any more if it is because of an initial call or an ajax-request because
> jsf gets an normal request, not declared as ajax-request
> jsf gets an normal request for the login page, not the original page

i am running out of ideas..
somebody else?

thanks a lot
Dominik.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 15950
    
  19

This is a nasty one. The one great big gaping hole in JSF is its poor handling of session timeouts. Some improvements have been made for JSF2, but there's still a long ways to go, even for page views.

I had an interesting discussion several months back with Lincoln Baxter (author of PrettyFaces) about the special problems that AJAX requests have with session timeouts. We decided that it's not pretty and there's no easy solution in sight.

I think you mean "container-managed" authentication, not JAAS, and yes, that's even worse, since application code doesn't get invoked at all when a session has expired. Which means that your AJAX client would need to detect that a j_security_request form had been returned instead of the content you'd been expecting and THEN, once you detected it, you'd have to figure out how to deal with the situation.


Customer surveys are for companies who didn't pay proper attention to begin with.
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: SessionTimeOut Handler with Ajax
 
Similar Threads
Siteminder session timeout - AJAX response issue
JAAS with Struts2
Handling session timeout and session invalidate differently
What does IE 8 Cache?
Session Time Out