Win a copy of Kotlin in Action this week in the Kotlin forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

SessionTimeOut Handler with Ajax  RSS feed

Dominik Müller
Ranch Hand
Posts: 36
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi together,

i have a little problem with JSF 2.0 and SessionTimeouts while AJAX-Requests in a JAAS secured Web Application.

Target: Redirect to Login-Page on SessionTimeouted-Ajax-Call

My idea was to implement a PhaseListener to detect if there is an SessionTimeout. The Problem in this case is: i am using JAAS to authenticate the user.
In "normal" requests, the user gets automatically redirected to the login-page if he isn't authenticated any more.

In an Ajax-Case this doesn't work of course. The Problem looks like this:

1. Ajax-Call to an page page.xhtml to do an partial rerendering
2. the security layer detects that there is no authentication, and redirect to login.xhtml
3. jsf seems not detecting this issue and gives an empty response to the ajax-caller

!on jsf side i have no chance to detect the authentication fails-redirect:
- a valid (new) session is linked before.
- - in this new Session there is no principal defined, but i can't detect any more if it is because of an initial call or an ajax-request because
> jsf gets an normal request, not declared as ajax-request
> jsf gets an normal request for the login page, not the original page

i am running out of ideas..
somebody else?

thanks a lot
Tim Holloway
Posts: 18713
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
This is a nasty one. The one great big gaping hole in JSF is its poor handling of session timeouts. Some improvements have been made for JSF2, but there's still a long ways to go, even for page views.

I had an interesting discussion several months back with Lincoln Baxter (author of PrettyFaces) about the special problems that AJAX requests have with session timeouts. We decided that it's not pretty and there's no easy solution in sight.

I think you mean "container-managed" authentication, not JAAS, and yes, that's even worse, since application code doesn't get invoked at all when a session has expired. Which means that your AJAX client would need to detect that a j_security_request form had been returned instead of the content you'd been expecting and THEN, once you detected it, you'd have to figure out how to deal with the situation.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!