Also commented on StackOverflow and sent a private mail with some code. In case anyone else finds this of value here is the S/O answer:
==================================== What is happening is that the redirect is handled seamlessly by the browser in your Ajax call so Shiro does redirect to the login page and the end result of your Ajax request is the HTML content of the login page, which isn't really what you want! The gist of how to work around this is to add a (custom) Shiro filter to your Ajax Api urls that checks the Subject for being authenticated and instead of redirecting to login return a response that your Ajax request understands to indicate that the user is not logged in. Client side handling of this response can then do a redirect to the login page (or perhaps the same page because Shiro will then redirect to login but can be configured to remember where you were trying to go and hence take the user back to the correct page upon successful login). My filter implementation returns Http code 401 along with "WWW-Authentication" header and a custom "challenge scheme" (if you did a basic authentication challenge then the browser would pop up its basic authentication dialog - there is already a Shiro filter that does this). In your Ajax call you need to detect this response, currently I have a clunky error callback that does it BUT I think it should be possible to modify the JavaScript library (JQuery, whatever) to handle this seamlessly. ==================================== -----Original Message----- From: Jared Bunting [mailto:[email protected]] Sent: 23 August 2012 23:14 To: [email protected] Cc: alarinn Subject: Re: Session Timeout doesn't redirect to login page Commented on your StackOverflow question[1], but the gist of it is, this is working as expected. There was another user recently who was encountering a similar issue [2]. -Jared [1] http://stackoverflow.com/questions/12099262/jsf-2-spring-3-shiro-session-timeout-doesnt-redirect-to-login-page [2] http://shiro-user.582556.n2.nabble.com/Web-Filter-to-return-HTTP-status-code-td7577672.html On Thu 23 Aug 2012 02:09:41 PM CDT, alarinn wrote: > I have my applicationContext like this: > > <bean id="shiroFilter" > class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> > <property name="securityManager" ref="securityManager" /> > <property name="loginUrl" value="/index.faces"/> > <property name="filterChainDefinitions"> > <value> > /* = authc > </value> > </property> > </bean> > <bean id="securityManager" > class="org.apache.shiro.web.mgt.DefaultWebSecurityManager"> > <property name="realm" ref="opacsRealm" /> > </bean> > > <bean id="lifecycleBeanPostProcessor" > class="org.apache.shiro.spring.LifecycleBeanPostProcessor" /> > > <bean id="sha512Matcher" > class="org.apache.shiro.authc.credential.HashedCredentialsMatcher"> > > <property name="hashAlgorithmName" value="SHA-256" /> > <property name="hashIterations" value="1024" /> > </bean> > > > > <bean id="opacsRealm" class="org.apache.shiro.realm.jdbc.JdbcRealm"> > <property name="dataSource" ref="dataSource" /> > <property name="authenticationQuery" > value="select PASSWORD, SALT from SEC_USERS where NAME > = ?" /> > <property name="userRolesQuery" > value="SELECT ROLE_NAME FROM SEC_USERS_ROLES WHERE > USER_NAME = ?" /> > <property name="permissionsQuery" > value="SELECT permission FROM SEC_ROLES_PERMISSIONS > WHERE ROLE_NAME = ?" > /> > <property name="permissionsLookupEnabled" value="true" /> > <property name="saltStyle" value="COLUMN" /> > <property name="credentialsMatcher" ref="sha512Matcher"/> > </bean> > > What is happening is when the session times out, the app doesn't > respond to events like command buttons and ajax (Primefaces), which is > good. But there is no redirect to the index.faces page. It will do > that if I refresh the browser, but no other trigger will redirect. Is > there anything else I need to do to get Shiro to redirect to the login > page whenever session time out occurs? I am using the session timeout > property in the web.xml so it's all container-based. Thanks! > > > > -- > View this message in context: > http://shiro-user.582556.n2.nabble.com/Session-Timeout-doesn-t-redirec > t-to-login-page-tp7577730.html Sent from the Shiro User mailing list > archive at Nabble.com.
