• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

SessionTimeOut Handler with Ajax

 
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi together,

i have a little problem with JSF 2.0 and SessionTimeouts while AJAX-Requests in a JAAS secured Web Application.

Target: Redirect to Login-Page on SessionTimeouted-Ajax-Call

My idea was to implement a PhaseListener to detect if there is an SessionTimeout. The Problem in this case is: i am using JAAS to authenticate the user.
In "normal" requests, the user gets automatically redirected to the login-page if he isn't authenticated any more.

In an Ajax-Case this doesn't work of course. The Problem looks like this:

1. Ajax-Call to an page page.xhtml to do an partial rerendering
2. the security layer detects that there is no authentication, and redirect to login.xhtml
3. jsf seems not detecting this issue and gives an empty response to the ajax-caller

!on jsf side i have no chance to detect the authentication fails-redirect:
- a valid (new) session is linked before.
- - in this new Session there is no principal defined, but i can't detect any more if it is because of an initial call or an ajax-request because
> jsf gets an normal request, not declared as ajax-request
> jsf gets an normal request for the login page, not the original page

i am running out of ideas..
somebody else?

thanks a lot
Dominik.
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is a nasty one. The one great big gaping hole in JSF is its poor handling of session timeouts. Some improvements have been made for JSF2, but there's still a long ways to go, even for page views.

I had an interesting discussion several months back with Lincoln Baxter (author of PrettyFaces) about the special problems that AJAX requests have with session timeouts. We decided that it's not pretty and there's no easy solution in sight.

I think you mean "container-managed" authentication, not JAAS, and yes, that's even worse, since application code doesn't get invoked at all when a session has expired. Which means that your AJAX client would need to detect that a j_security_request form had been returned instead of the content you'd been expecting and THEN, once you detected it, you'd have to figure out how to deal with the situation.
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic