Sadly Les they couldn't quite do what I wanted (don't think so anyway).. The FormAuthenticationFilter / PassThrough causes the browser to redirect in a way that is transparent to the AJAX call so the AJAX call ultimately receives a 200 OK with the login page as the response body.
I ended up implementing it as follows: FormAuthenticationFilter secures the application web page redirecting to login which on success takes the user to the application web page, all this is none AJAX standard form submit. The AJAX API is filtered with a simple filter (that inherits from up the hierarchy in AccessControlFilter) that does a subject.isAuthenticated check in "isAccessAllowed" and in its "onAccessDenied" handles the response by sending a 401 with WWW-Authentication header and a custom challenge scheme that the AJAX client understands. Seems to work nicely enough, I'm planning to write it up so will post a link in case anyone else is interested in a similar thing. Regards, Marcus. From: Les Hazlewood [mailto:[email protected]] Sent: 07 August 2012 00:44 To: [email protected] Subject: Re: Web Filter to return HTTP status code Hi Marcus, Will the existing FormAuthenticationFilter or PassThruAuthenticationFilter (or any non HTTP-header-based Filter) not work? These Filters already perform a 302 (or 303) redirect to a configured 'loginPage' property. Regardless of the client, (AJAX or not), the response is still going to be an HTTP 302 (or 303) with the Location header set. Is that enough? Or might something else be required? Cheers, -- Les Hazlewood | @lhazlewood CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282 Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk On Fri, Aug 3, 2012 at 5:23 AM, Marcus Bond <[email protected]> wrote: Hi, Just wondered if there is a web filter configuration that would allow a custom HTTP Status code and message to be passed to a client in the event that they are not logged in (e.g. session timeout)? My current setup is that one set of resources has noSessionCreation, authcBasic filters enforcing basic authentication on every request (this is external API), and another set uses authc since this is for a browser and redirects to the login page in the event the user is not logged in. However the browser app is actually AJAX based and in the event the users session has timed out what happens is that I get an OK response from the server with the contents of the login page since the browser "handles" the "302 moved temporarily" itself within the AJAX call. Since a user must login prior to reaching the AJAX based pages, what would be ideal is a filter on the AJAX API that doesn't have any built in authentication mechanism (no forms, no http headers) and relies on an existing session. In the event this has timed out then I would like to simply set the HTTP status on the response and perhaps the Location header to allow the AJAX client to send the browser to the login page (effectively letting the client side handle what the FormAuthenticationFilter currently does). Is there anything existing that can do this (I will roll my own if necessary but rying to avoid reinventing the wheel). Regards, Marcus.
