Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2.0.0
-
Fix Version/s: 2.0.1
-
Component/s: Documentation, Sample Apps
-
Labels:None
-
Environment:All
-
Affects:Documentation (User Guide, Ref. Guide, etc.), Sample App./Tutorial, Compatibility/Configuration
Description
On a standard ICEfaces application, when the session timeout has been reached and a user interacts with the page a User Session Expire popup will be shown. If push is enabled this will be displayed automatically and if the sessionExpiredRedirectURI is set it will redirect the user to this page.
For an ICEfaces application that has Spring Security 3 integrated this is not the case. Upon session timeout, if I user interacts with the page it remains unresponsive, no redirect or notification. If the user refreshes the page they will be redirected to the login page, but once logging back into the application, they are faces with an error screen. Upon refreshing the browser here the application is then set to the page where the user should be.
For an ICEfaces application that has Spring Security 3 integrated this is not the case. Upon session timeout, if I user interacts with the page it remains unresponsive, no redirect or notification. If the user refreshes the page they will be redirected to the login page, but once logging back into the application, they are faces with an error screen. Upon refreshing the browser here the application is then set to the page where the user should be.
Once the user is logged in, I wait a minute for the session to get invalidated. Then I click on the button:
from the end-users perspective: nothing happens.
From the javascript perspective, the button's acton triggers iceSubmit which eventually submits the ajax backed event in jsf.js. The response is an error because the xml returned from this ajax event is the html content from the file associated with session timeout: /timeout.html This means that the spring security filters are intercepting the ajax calls and interpreting them as standard browser requests (and redirecting them).