{"id":950,"date":"2012-04-21T14:49:18","date_gmt":"2012-04-21T12:49:18","guid":{"rendered":"http:\/\/doanduyhai.wordpress.com\/?p=950"},"modified":"2012-04-21T14:49:18","modified_gmt":"2012-04-21T12:49:18","slug":"spring-security-part-vi-session-timeout-handling-for-ajax-calls","status":"publish","type":"post","link":"https:\/\/www.doanduyhai.com\/blog\/?p=950","title":{"rendered":"Spring Security part VI : Session Timeout handling for Ajax calls"},"content":{"rendered":"

Recently when developing the Tatami<\/a> application for the Twitter-like contest, I faced an annoying issue: how to detect an user session timeout when an Ajax request is triggered from the browser ?<\/strong><\/p>\n

If you’re not familiar yet with Spring Security, you can check my previous articles on this framework.<\/p>\n

In this article we’ll see a solution based on Spring Security<\/strong> filter. For those who don’t use Spring Security I’ll show another approach with servlet filter.<\/p>\n

<\/p>\n

Please note that a demo application for this article can be found on GitHub https:\/\/github.com\/doanduyhai\/AjaxSessionExpiration<\/a><\/p><\/blockquote>\n

Edit: the implementation has been changed to simplify Ajax request detection thanks to Marty Jones suggestions.<\/em>
\n <\/p>\n

I The problem<\/h1>\n

Nowadays mobile development is getting more and more important for the business. Many companies provide a mobile interface of their traditional desktop website to address a larger audience.<\/p>\n

The corner-stone of mobile architecture are RESTfull webservices. The underlying implementation relies on Ajax calls to achieve content lazy loading.<\/p>\n

If your resources is protected by a security framework any un-authenticated request will be rejected and the framework redirects you to a login page. The same mechanism applies if the request is Ajax-based.<\/p>\n

However, at the XMLHttpRequest<\/strong> level, it is not possible to detect this redirection. According to the W3C specs<\/a>, the redirection is taken care at browser level and should be transparent for the user (so transparent for the XMLHttpRequest<\/strong> protocol too). What happens it that the Ajax layer receives an HTTP 200 code<\/strong> after the redirection.<\/p>\n

This issue has been widely debated on Stackoverflow at this thead<\/a>.
\nMany contributors suggest to add a special attribute in the JSON response to indicates a redirect or to add a special Javascript callback to parse the response string searching for a DOM element that characterizes the login page and so on.<\/p>\n

My opinion is that all these solutions are not satisfactory because they require many hacks and tamper with the response string\/content itself.
\n <\/p>\n

II The solution<\/h1>\n

A Spring Security<\/h3>\n

1) Algorithm<\/strong><\/h5>\n

Since it is clear that it’s not possible to detect an HTTP Redirect at Javascript level, the job should be done at server side.<\/p>\n

The idea is to add a special filter in the Spring Security chain to detect a session timeout and an incoming Ajax call then return an custom HTTP error code so the Ajax callback function can detect and process properly.<\/p>\n

Below is a pseudo-code of the filter implementation:<\/p>\n