This week's book giveaway is in the Clojure forum.
We're giving away four copies of Clojure in Action and have Amit Rathore and Francis Avila on-line!
See this thread for details.
Win a copy of Clojure in Action this week in the Clojure forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

How to redirect to login page after session timeout?

 
Raghu Sha
Ranch Hand
Posts: 122
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,
I am using spring mvc 3 and i didnt configured for spring security.

Is it mandatory to use spring security for handling session timeout?

could you please provide sample code for how to handle session time out say after 5 mins (Without using spring security)?

Thanks
 
Atul Itankar
Greenhorn
Posts: 13
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The basic thing is to use an api url prefix (i.e. /api/secured) along with an authentication entry point. It is simple and it actually works.

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;

import javax.servlet.ServletException;
import javax.servlet.http.*;
import java.io.IOException;

public class AjaxAwareAuthenticationEntryPoint
extends LoginUrlAuthenticationEntryPoint {

public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
super(loginUrl);
}

@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {

boolean isAjax
= request.getRequestURI().startsWith("/api/secured");

if (isAjax) {
response.sendError(403, "Forbidden");
} else {
super.commence(request, response, authException);
}
}
}


Thanks
Atul Itankar

InfoCepts | www.infocepts.com
 
Raghu Sha
Ranch Hand
Posts: 122
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.

Where i need to configure the session timeout say 30 mins?
Cant we use different URL format instaed of aip\secured?
 
Atul Itankar
Greenhorn
Posts: 13
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

You can use this xml code

<session>
<ejb-name>ConfigurationBean</ejb-name>
<concurrent-method>
<method>
<method-name>get</method-name>
</method>
<lock>Read</lock>
<access-timeout>
<timeout>1000</timeout>
<unit>Milliseconds</unit>
</access-timeout>
</concurrent-method>
</session>
 
Raghu Sha
Ranch Hand
Posts: 122
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am not using ejb.
I am using Spring mvc only. Need to achieve using interceptors in spring
 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
His example was using Spring Security. You can configure your session timeout in your web.xml

 
Raghu Sha
Ranch Hand
Posts: 122
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks..
I used interceptors. but session timeout is not recognized.
please help
 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Interceptors are too late. If you are not going to use Spring Security which will do this for you, then you will need to write a Servlet filter. I suggest removing Spring from the question in that case and posting in our Servlet forum. Depending on what you are tring to do you may just need to register an HttpSessionListener in your web.xml
 
Raghu Sha
Ranch Hand
Posts: 122
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks.

It is not possible to achive using interceptors without spring security & servlet filters?
Please suggest.

I need to use interceptors but spring security is not in place.
 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well I am not certain something else will not create a new session if it does not exist before you get to your HandlerInterceptor, that depends on your set-up. but theoretically you could do some action if there were no Session using a handler intercepter:



You still have not explained what you are trying to accomplish. If you need to know when a Session expires to perform some action then you must implement HttpSessionListener and handle the sessionDestroyed event there. This listener must then be also registered in your web.xml.

However if you just want new requests that come in to react in some fashion if a Session does not exist then a filter (possibly a HanderIntercepter depending on your requirements) is more appropriate. You need to give a better explanation of what you are trying to accomplish.


 
Raghu Sha
Ranch Hand
Posts: 122
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks..
Here is the scenario...
If user is logged in and his session got expired based on the timeout period cofigured in web.xml.
If he clicks the browser it shoud re-direct to index page.

The above secnario needs to be handled using interceptors without using Spring security & servlet filters.

Interceptor is configred but it is not recognizing web.xml changes. I didnt redirect to index page after session expired.
 
Raghu Sha
Ranch Hand
Posts: 122
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Interceptor is invoked but session is not get invalidated.
Due to that it is not redirecting to specified page.
Still session is alive. It ignores timeout parameter specified in web.xml

session.setAttribute("userId", customer.getUserId());

Below are the configuration.
Let me know if i missed anything
spring-dispatcher-servlet.xml



AuthTokenInterceptor


web.xml
 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well... For starter have a look at the Java doc for HttpServletRequest.

http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html

You need to delete this line




You will never have a null session after that line because it will create one if it does not exist.

On a side note you are making your configuration a lot more verbose and difficult than it needs to be. Use annotation based controllers, and you can configure one interceptor to match all controllers.

http://static.springsource.org/spring/docs/3.2.x/spring-framework-reference/html/mvc.html#mvc-config-interceptors
 
Raghu Sha
Ranch Hand
Posts: 122
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Removed that line.
No luck.
Still session is alive
 
Bill Gorder
Bartender
Posts: 1682
7
Android IntelliJ IDE Linux Mac OS X Spring
  • 0
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Well that was kind of my concern with an interceptor instead of a filter. Something before your controller could be creating it. You have a few choices:

1. do it in a filter
2. instead of just null checking also check for the presence of your log in credentials



If that does not work then your session is not getting destroyed. You could register a HttpSessionListener in that case and see if the sessionDestroyed event is ever invoked. If not you have an issue there, that has nothing to do with Spring and would be better posted in one of our other forums (which one depends on the container you are using).

Thanks,
Bill
 
I agree. Here's the link: http://aspose.com/file-tools
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic