aspose file tools*
The moose likes Spring and the fly likes How to redirect to login page after session timeout? Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Soft Skills this week in the Jobs Discussion forum!
JavaRanch » Java Forums » Frameworks » Spring
Bookmark "How to redirect to login page after session timeout?" Watch "How to redirect to login page after session timeout?" New topic
Author

How to redirect to login page after session timeout?

Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
Hi,
I am using spring mvc 3 and i didnt configured for spring security.

Is it mandatory to use spring security for handling session timeout?

could you please provide sample code for how to handle session time out say after 5 mins (Without using spring security)?

Thanks
Atul Itankar
Greenhorn

Joined: Jan 09, 2013
Posts: 13
The basic thing is to use an api url prefix (i.e. /api/secured) along with an authentication entry point. It is simple and it actually works.

import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint;

import javax.servlet.ServletException;
import javax.servlet.http.*;
import java.io.IOException;

public class AjaxAwareAuthenticationEntryPoint
extends LoginUrlAuthenticationEntryPoint {

public AjaxAwareAuthenticationEntryPoint(String loginUrl) {
super(loginUrl);
}

@Override
public void commence(
HttpServletRequest request,
HttpServletResponse response,
AuthenticationException authException)
throws IOException, ServletException {

boolean isAjax
= request.getRequestURI().startsWith("/api/secured");

if (isAjax) {
response.sendError(403, "Forbidden");
} else {
super.commence(request, response, authException);
}
}
}


Thanks
Atul Itankar

InfoCepts | www.infocepts.com
Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
Thanks.

Where i need to configure the session timeout say 30 mins?
Cant we use different URL format instaed of aip\secured?
Atul Itankar
Greenhorn

Joined: Jan 09, 2013
Posts: 13
Hi,

You can use this xml code

<session>
<ejb-name>ConfigurationBean</ejb-name>
<concurrent-method>
<method>
<method-name>get</method-name>
</method>
<lock>Read</lock>
<access-timeout>
<timeout>1000</timeout>
<unit>Milliseconds</unit>
</access-timeout>
</concurrent-method>
</session>
Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
I am not using ejb.
I am using Spring mvc only. Need to achieve using interceptors in spring
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1680
    
    7

His example was using Spring Security. You can configure your session timeout in your web.xml



[How To Ask Questions][Read before you PM me]
Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
Thanks..
I used interceptors. but session timeout is not recognized.
please help
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1680
    
    7

Interceptors are too late. If you are not going to use Spring Security which will do this for you, then you will need to write a Servlet filter. I suggest removing Spring from the question in that case and posting in our Servlet forum. Depending on what you are tring to do you may just need to register an HttpSessionListener in your web.xml
Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
Thanks.

It is not possible to achive using interceptors without spring security & servlet filters?
Please suggest.

I need to use interceptors but spring security is not in place.
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1680
    
    7

Well I am not certain something else will not create a new session if it does not exist before you get to your HandlerInterceptor, that depends on your set-up. but theoretically you could do some action if there were no Session using a handler intercepter:



You still have not explained what you are trying to accomplish. If you need to know when a Session expires to perform some action then you must implement HttpSessionListener and handle the sessionDestroyed event there. This listener must then be also registered in your web.xml.

However if you just want new requests that come in to react in some fashion if a Session does not exist then a filter (possibly a HanderIntercepter depending on your requirements) is more appropriate. You need to give a better explanation of what you are trying to accomplish.


Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
Thanks..
Here is the scenario...
If user is logged in and his session got expired based on the timeout period cofigured in web.xml.
If he clicks the browser it shoud re-direct to index page.

The above secnario needs to be handled using interceptors without using Spring security & servlet filters.

Interceptor is configred but it is not recognizing web.xml changes. I didnt redirect to index page after session expired.
Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
Interceptor is invoked but session is not get invalidated.
Due to that it is not redirecting to specified page.
Still session is alive. It ignores timeout parameter specified in web.xml

session.setAttribute("userId", customer.getUserId());

Below are the configuration.
Let me know if i missed anything
spring-dispatcher-servlet.xml



AuthTokenInterceptor


web.xml
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1680
    
    7

Well... For starter have a look at the Java doc for HttpServletRequest.

http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletRequest.html

You need to delete this line




You will never have a null session after that line because it will create one if it does not exist.

On a side note you are making your configuration a lot more verbose and difficult than it needs to be. Use annotation based controllers, and you can configure one interceptor to match all controllers.

http://static.springsource.org/spring/docs/3.2.x/spring-framework-reference/html/mvc.html#mvc-config-interceptors
Raghu Sha
Ranch Hand

Joined: Feb 02, 2013
Posts: 122
Removed that line.
No luck.
Still session is alive
Bill Gorder
Bartender

Joined: Mar 07, 2010
Posts: 1680
    
    7

Well that was kind of my concern with an interceptor instead of a filter. Something before your controller could be creating it. You have a few choices:

1. do it in a filter
2. instead of just null checking also check for the presence of your log in credentials



If that does not work then your session is not getting destroyed. You could register a HttpSessionListener in that case and see if the sessionDestroyed event is ever invoked. If not you have an issue there, that has nothing to do with Spring and would be better posted in one of our other forums (which one depends on the container you are using).

Thanks,
Bill
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: How to redirect to login page after session timeout?