Created
February 12, 2016 16:01
-
-
Save mikeapr4/d76ed0f2ae9779975bf1 to your computer and use it in GitHub Desktop.
Wrapper for Spring Security AuthenticationEntryPoint interface, which will intercept 302 Redirects which are not supported generally in Browsers for Ajax Requests.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import org.springframework.security.core.AuthenticationException; | |
| import org.springframework.security.web.AuthenticationEntryPoint; | |
| import javax.servlet.ServletException; | |
| import javax.servlet.http.HttpServletRequest; | |
| import javax.servlet.http.HttpServletResponse; | |
| import javax.servlet.http.HttpServletResponseWrapper; | |
| import java.io.IOException; | |
| public class AjaxAwareAuthEntryPointWrapper implements AuthenticationEntryPoint { | |
| // http://getstatuscode.com/440 | |
| private static final int TIMEOUT_ERROR_CODE = 440; | |
| private AuthenticationEntryPoint realEntryPoint; | |
| public AjaxAwareAuthEntryPointWrapper(AuthenticationEntryPoint toWrap) { | |
| this.realEntryPoint = toWrap; | |
| } | |
| @Override | |
| public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException { | |
| HttpServletResponse proxyRes = response; | |
| // For an Ajax request use a RS wrapper to intercept the 302 and make it a 4xx | |
| String reqWith = request.getHeader("X-Requested-With"); | |
| if (reqWith != null && reqWith.equals("XMLHttpRequest")) { | |
| // if the Request arrived here with a session id but no valid session then assume the session has timed out | |
| boolean hasSessionTimedOut = request.getRequestedSessionId() != null && !request.getRequestedSessionId().isEmpty() && | |
| (request.getSession(false) == null || request.getSession(false).isNew()); | |
| final int errorCode = hasSessionTimedOut ? TIMEOUT_ERROR_CODE : HttpServletResponse.SC_UNAUTHORIZED; | |
| proxyRes = new HttpServletResponseWrapper(response) { | |
| private HttpServletResponse _getHttpServletResponse() { | |
| return (HttpServletResponse) super.getResponse(); | |
| } | |
| @Override | |
| public void sendRedirect(String location) throws IOException { | |
| this._getHttpServletResponse().setHeader("Location", location); | |
| this._getHttpServletResponse().sendError(errorCode); | |
| } | |
| }; | |
| } | |
| realEntryPoint.commence(request, proxyRes, authException); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Convenient wrapper class which proxies the
AuthenticationEntryPointinterface (https://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/web/AuthenticationEntryPoint.html).It was designed with a CAS spring security configuration, but the proxy respects all the interfaces involved and should be neatly abstracted. Within the class a further wrapper is used around the response in order to intercept the
302 Redirectdirectly. Due to the nature ofHttpServletResponsethis needs to be intercepted at the moment it's triggered, no later.