Login/Register
Grails Spring Security plugin: Getting 302 for Ajax Request for timedout Session
Asked Answered
grailsspring-securitygrails-plugin
D

1

8

We are using Spring Security plugin version 1.2.7.3 with Grails 2.2.1. In my Config.groovy, I do:

grails.plugins.springsecurity.auth.ajaxLoginFormUrl = "/mylogin/authAjax"

thinking that, when there is an Ajax request, Spring Security will invoke authAjax() in MyloginController if the User's HttpSession has timed out.

As per doc, I ensure that the header X-Requested-With with value XMLHttpRequest is in the Ajax request so the plugin knows it is an Ajax request.

My expectation is authAjax() will be invoked and I can make that return a 401, so the UI knows it needs to pop up another login screen.

However, instead of the authAjax() getting invoked, a 302 is returned to the UI with the location field set to http://localhost:8080/MyApplication/mycontroller/authAjax

This means I'll have to put in something very hackey on my UI, check for a 302 and check the location field and then make the User re-login. I would much prefer to have a 401 returned.

Any ideas what I am doing wrong?

Thanks a million.

Deckhouse answered 14/4, 2014 at 16:10 Comment(2)
Could be that your authAjax url is not permitted for everyone.Haunt
Did you manage to fix this?Delighted
T
0

If anyone else has this issue, I found it was simply down to the chainMap rules. I have my REST api sitting under the '/api/' url so my chainMap looks like this:

grails.plugin.springsecurity.filterChain.chainMap = [
    [pattern: '/assets/**',      filters: 'none'],
    [pattern: '/**/js/**',       filters: 'none'],
    [pattern: '/**/css/**',      filters: 'none'],
    [pattern: '/**/images/**',   filters: 'none'],
    [pattern: '/**/favicon.ico', filters: 'none'],
    [pattern: '/api/**',         filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter'], // Stateless API
    [pattern: '/**',             filters: 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter'] // Traditional, session based accesses.
]

The last 2 lines are the important bit; '/api/**' is secured by the Spring Security REST plugin which is a stateless connection (i.e. each request carries the authentication token). The '/**' rule covers everything else which requires a stateful session (the non-REST activity). The stateless REST request will return 402 if the token has expired or is invalid in any way and the stateful non-rest will return 302 and send your browser round a loop.

Get those rules in the right order and you should be fine.

Trever answered 28/10, 2019 at 10:30 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.