JSF 2，Spring Security 3.x和Richfaces 4在会话超时时重定向到登录页面以处理ajax请求 [英] JSF 2, Spring Security 3.x and Richfaces 4 redirect to login page on session time out for ajax requests

问题描述

这似乎是一个非常普遍的问题.但是我找不到任何可行的解决方案.我们正在使用Richafaces 4，Myfaces 2.0.5和Spring security 3.0.X.

在ajax/非ajax请求的会话时间上，应将用户重定向到登录页面.重新登录后，应向他显示先前执行的ajax/非ajax操作.

非ajax请求不会遇到任何问题.但是对于ajax请求，不会将用户重定向到登录页面.

我已点击此链接 https://community.jboss.org/message/729913#729913 并实现了servlet方法.该解决方案只能在Firefox中使用，而不能在IE 8中使用.

即使在会话超时时正确重定向到登录页面，也可能会有另一个问题.我期望先前登录的Ajax请求成功登录后会出现ViewExpiredException.

我想带来ViewExpiredException，因为这两个问题可能相互关联.

任何解决方案/潜在客户都会受到赞赏.

解决方案

由于您使用的是Spring Security 3.0.x，因此可以按照此处可用

如果您使用的是Spring Security 3.1.x，请进行以下更改

 <beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
            <!-- this permits redirection to session timeout page from javascript/ajax or http -->
    <beans:property name="invalidSessionStrategy" ref="jsfRedirectStrategy" />
</beans:bean>

<beans:bean id="jsfRedirectStrategy" class="com.icesoft.spring.security.JsfRedirectStrategy">
  <beans:constructor-arg name="invalidSessionUrl" value="/general/logins/sessionExpired.jsf" />
</beans:bean>
<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

对JSFRedirectStrategy类的唯一更改是前几行:

public class JsfRedirectStrategy implements InvalidSessionStrategy {
protected final Log logger = LogFactory.getLog(getClass()); 
     private String invalidSessionUrl;
private boolean contextRelative;

public JsfRedirectStrategy(String invalidSessionUrl){
    this.invalidSessionUrl=invalidSessionUrl;
}

@Override
public void onInvalidSessionDetected(HttpServletRequest request,
        HttpServletResponse response) throws IOException, ServletException {
    String redirectUrl = calculateRedirectUrl(request.getContextPath(), invalidSessionUrl);

这也适用于IE8.如果您有兴趣，可以查看此博客，但是我从未尝试过这样做，因为上面的操作要容易得多.

仅供参考:如果您不使用Spring，则有很多方法可以做到这一点: Primefaces在其站点上执行此操作. 链接 甚至通过导入Omnifaces jar 链接

It seems a very common problem. But I couldn't find any working solution. We are using Richafaces 4, Myfaces 2.0.5 and Spring security 3.0.X.

On session time for ajax/non ajax requests, the user should be redirected to log in page.after logging back he should be shown the previously performed ajax/non ajax operation.

We are not facing any issue with non ajax requests. But for ajax requests, the user is not redirected to log in page.

I have followed this link https://community.jboss.org/message/729913#729913 and implemented servlet approach. the solution worked in Firefox, not in IE 8.

There could be one more problem even if it is properly redirected to log in page on session time out. I am expecting a ViewExpiredException on successful login for the previously invoked ajax request.

I wanted to bring the ViewExpiredException, since both these problems could be related each other.

Any solutions/leads will be appreciated.

解决方案

Since you use Spring Security 3.0.x, you can use custom sessionManagementFilter as described here

The class com.icesoft.spring.security.JsfRedirectStrategy is available here

If you are using Spring Security 3.1.x make these changes

 <beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
    <beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />
            <!-- this permits redirection to session timeout page from javascript/ajax or http -->
    <beans:property name="invalidSessionStrategy" ref="jsfRedirectStrategy" />
</beans:bean>

<beans:bean id="jsfRedirectStrategy" class="com.icesoft.spring.security.JsfRedirectStrategy">
  <beans:constructor-arg name="invalidSessionUrl" value="/general/logins/sessionExpired.jsf" />
</beans:bean>
<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

The only change to the JSFRedirectStrategy class are the first few lines:

public class JsfRedirectStrategy implements InvalidSessionStrategy {
protected final Log logger = LogFactory.getLog(getClass()); 
     private String invalidSessionUrl;
private boolean contextRelative;

public JsfRedirectStrategy(String invalidSessionUrl){
    this.invalidSessionUrl=invalidSessionUrl;
}

@Override
public void onInvalidSessionDetected(HttpServletRequest request,
        HttpServletResponse response) throws IOException, ServletException {
    String redirectUrl = calculateRedirectUrl(request.getContextPath(), invalidSessionUrl);

This works with IE8 also. If you are interested you can look at this blog also, but I never tried this as the above was much easier.

FYI: If you do not do Spring there are many ways to do this: Primefaces does this on their site. link Or even simpler by importing Omnifaces jar link

这篇关于JSF 2，Spring Security 3.x和Richfaces 4在会话超时时重定向到登录页面以处理ajax请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！