Redirect handling PrimeFaces Ajax requests on session timeout in Spring Security

Question

I am trying to get the JSF web front-end to redirect to back to the login page (in Spring Security) when the session times-out.

I have tried using a meta-refresh approac

Answer 1

This is a problem with the default way that Spring Security sends redirects back to the client. The default method of sending a redirect to the client is the HTML approach of sending a 302 Temporarily Moved response, however this does not work for AJAX clients. The AJAX client will interpret this as a redirect to a new location to post/get its data and not as a page redirect. The correct way to get the AJAX client to redirect the browser to a new page in the same way as a normal HTML request is:

To override the default invalid session strategy used by Spring Security, you need to create a SessionManagementFilter bean in your Spring config, and pass it a class that implements InvalidSessionStrategy and sends the correct redirect response when a request is received either via HTML or AJAX:

You then need to add this filter to your Spring Security HTTP block:

    
    ...

The custom session management filter will now be created when your application starts, and the invalid session strategy class provided will execute whenever an expired session is found.

A good example of how to implement the invalid session strategy can be found here: https://gist.github.com/banterCZ/5160269

A similar question using IceFaces is available here: JSF 2, Spring Security 3.x and Richfaces 4 redirect to login page on session time out for ajax requests