[ICE-8108] ICEfaces session expiry popup with Spring Security - ICEsoft JIRA Issue Tracker

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: EE-3.0.0.GA
Fix Version/s: 3.1, EE-3.0.0.GA_P01
Component/s: Framework
Labels:
None
Environment:
spring-framework 3.0.5, spring-security 3.0.5, ICEfaces EE 3.0.0.GA, Chrome Firefox, IE9

Assignee Priority:
P2
Workaround Description:

Hide
A session expiry page can be used instead of a popup.
However, without the popup, there is a certain inconsistency between the screen and the application state. The screen shows the user that application is in session while in fact it has timed out (on the server) and only by interacting with the application does the user find out the session has in fact timed out. With the pop up on the other hand, there is no inconsistency, as the screen reflects in real time application's state.

Show
A session expiry page can be used instead of a popup. However, without the popup, there is a certain inconsistency between the screen and the application state. The screen shows the user that application is in session while in fact it has timed out (on the server) and only by interacting with the application does the user find out the session has in fact timed out. With the pop up on the other hand, there is no inconsistency, as the screen reflects in real time application's state.

Description

ICEfaces session timeout popup with reset button no longer works when used with spring security libraries.

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Download All

Attachments

redirectAfterSessionExpiryReloadButtonClick.jpg

63 kB

15/May/12 2:07 PM
screenshot1.jpg

277 kB

18/May/12 2:25 PM
SpringSecurityWithICEpush.jpg

556 kB

15/May/12 2:07 PM

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Evgheni Sadovoi added a comment - 15/May/12 2:08 PM

The following test was performed against Spring Security sample application to check validity of this JIRA:

1. Added ICEpush dependancy to the pom.xml of sample application
<dependency>
<groupId>org.icepush</groupId>
<artifactId>icepush</artifactId>
<version>3.0.1</version>
</dependency>
2. Added 2 parameters to web.xml:
<context-param>
<param-name>org.icefaces.lazyPush</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>org.icefaces.strictSessionTimeout</param-name>
<param-value>true</param-value>
</context-param>
3. Set session expiry to 1 minute.
4. Loaded application and logged in as one of the users.

After a minute of inactivity session expiry popup window with reset button appeared automatically without any interaction on my side. Click on reload button in a popup redirected me to the session expiry page as I was expecting.

Screenshots attached.

Show

Evgheni Sadovoi added a comment - 15/May/12 2:08 PM The following test was performed against Spring Security sample application to check validity of this JIRA: 1. Added ICEpush dependancy to the pom.xml of sample application <dependency> <groupId>org.icepush</groupId> <artifactId>icepush</artifactId> <version>3.0.1</version> </dependency> 2. Added 2 parameters to web.xml: <context-param> <param-name>org.icefaces.lazyPush</param-name> <param-value>false</param-value> </context-param> <context-param> <param-name>org.icefaces.strictSessionTimeout</param-name> <param-value>true</param-value> </context-param> 3. Set session expiry to 1 minute. 4. Loaded application and logged in as one of the users. After a minute of inactivity session expiry popup window with reset button appeared automatically without any interaction on my side. Click on reload button in a popup redirected me to the session expiry page as I was expecting. Screenshots attached.

Hide

Permalink

Evgheni Sadovoi added a comment - 18/May/12 2:07 PM

Under certain conditions our session expiry pop up and push does not work reliably with Spring security. Details will follow.

Show

Evgheni Sadovoi added a comment - 18/May/12 2:07 PM Under certain conditions our session expiry pop up and push does not work reliably with Spring security. Details will follow.

Hide

Permalink

Evgheni Sadovoi added a comment - 18/May/12 2:25 PM

ISSUE # 1.
With setup mentioned above follow next steps:
1. launch sample application and login as joe.blow@icesoft.com.
2. Click on any link on the left side to switch content
3. Wait 1 minute until session expiry pop up will appear on the screen
4. Once you see a pop up click on reload button inside it right away.

Outcome:
Your current page will be refreshed, but you will not be redirected to the session expiry page.
To redirect to the session expiry page you have to wait another minute before you click on reload button.

This behavior is due to the ICEpush heart beating which keep the session on the server alive. When Session expiry pop up appear the heart beating stops and spring security have a chance to detect this after which reload of the page causes a redirect to the session expiry page. (see screenshot1 )

Show

Evgheni Sadovoi added a comment - 18/May/12 2:25 PM ISSUE # 1. With setup mentioned above follow next steps: 1. launch sample application and login as joe.blow@icesoft.com. 2. Click on any link on the left side to switch content 3. Wait 1 minute until session expiry pop up will appear on the screen 4. Once you see a pop up click on reload button inside it right away. Outcome: Your current page will be refreshed, but you will not be redirected to the session expiry page. To redirect to the session expiry page you have to wait another minute before you click on reload button. This behavior is due to the ICEpush heart beating which keep the session on the server alive. When Session expiry pop up appear the heart beating stops and spring security have a chance to detect this after which reload of the page causes a redirect to the session expiry page. (see screenshot1 )

Hide

Permalink

Evgheni Sadovoi added a comment - 18/May/12 2:28 PM

ISSUE#2.

Session expiry popup appear even if the user is not logged in.

Show

Evgheni Sadovoi added a comment - 18/May/12 2:28 PM ISSUE#2. Session expiry popup appear even if the user is not logged in.

Hide

Permalink

Evgheni Sadovoi added a comment - 18/May/12 2:43 PM

ISSUE #3

With setup mentioned above follow next steps:
1. launch sample application and login as joe.blow@icesoft.com.
2. Open network tab in the browser and wait for listen.icepush.xml.jsf request to go through
3. Click on any link on the left hand side.

Outcome:
You will be redirected to the login page.
If you perform step 1 and click on any of the links before listen.icepush.xml.jsf request go through your page will update with appropriate content for the link you clicked.

Show

Evgheni Sadovoi added a comment - 18/May/12 2:43 PM ISSUE #3 With setup mentioned above follow next steps: 1. launch sample application and login as joe.blow@icesoft.com. 2. Open network tab in the browser and wait for listen.icepush.xml.jsf request to go through 3. Click on any link on the left hand side. Outcome: You will be redirected to the login page. If you perform step 1 and click on any of the links before listen.icepush.xml.jsf request go through your page will update with appropriate content for the link you clicked.

Hide

Permalink

Greg Dick added a comment - 28/May/12 4:59 PM

I think I have a correctly configured application that acts as intended.

Using standard icepush jars has the problems Evgheni has described in conjunction with Spring. Using EPS in this case allows the polling requests from the client to be handled outside the spring applications context, which allows the session to expire normally.

The other thing about the existing Spring Security tutorial is its use of xhtml pages with jsf extensions. It appears that when the application navigates to one of these pages, the EPS poll for updates operates. The application will work properly if the content with the .xhtml (the JSF content) is the only content accessed when the user is logged in.

I've created three pages with a .html extension (could be .jsp as well ) that is accessible to the user when the user is not logged in.

welcome.html A page for the user to land on when first accessing the application. This used to be main.xhtml (.jsf) and as such would start the icepush listen requests when visited, hence the session expiry messages prior to the user logging in. That behaviour is undesireable although it must be stated that it's not an error nor is it unexpected. The visitor to many shopping sites creates a Session object for shopping carts prior to logging in to make a purchase.
In the tutorial, this unsecured welcome page can represent any number of pages.

loginFailed.html - a page to land on when a login attempt fails.

formLogin.html - a page with simple form based login with fields named to Springs login standards.

sessionExpired.html - a page to land on when the session expires.

Here's the full version of applicationContext-security.xml. The changes to this file are twofold:
1) rename every .jsf page to a corresponding .html version in the /general/logins/ directory
2) Add the following line to the form-login tag:
default-target-url="/main.jsf"

<custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />

<intercept-url pattern='/secure/**' access='ROLE_READER' />

<form-login login-page="/general/logins/formLogin.html"
authentication-failure-url="/general/logins/loginFailed.html"
default-target-url="/main.jsf" />

<!-- here is an example logout link:
<a href="#

{request.contextPath}

/j_spring_security_logout">Logout</a> -->
<logout logout-url="/j_spring_security_logout"
logout-success-url="/general/logins/formLogin.html"
invalidate-session="true"/>
</http>

<beans:bean id="authenticationEntryPoint"
class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint">
<beans:property name="loginFormUrl" value="/general/logins/formLogin.html" />
</beans:bean>

<authentication-manager alias="authenticationManager">
<authentication-provider>
<user-service>
<user name="joe.blow@icesoft.com" password="pass1234" authorities="ROLE_READER"/>
<user name="ben.simpson@icesoft.com" password="pass5678" authorities="ROLE_READER"/>
</user-service>
</authentication-provider>
</authentication-manager>

<beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter">
<beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" />

<beans:property name="invalidSessionUrl" value="/general/logins/sessionExpired.html" />

<beans:property name="redirectStrategy" ref="jsfRedirectStrategy" />
</beans:bean>

<beans:bean id="jsfRedirectStrategy" class="com.icesoft.spring.security.JsfRedirectStrategy"/>
<beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/>

</beans:beans>

The tutorial used to work by redirecting to main.jsf as the welcome page from index.html. Then, without the additional line in step two above, the application would rerequest main.jsf when the user logged in and then the user would be able to see the additional links available to them.

Now an additional target is required to get the user redirected to a .jsf page after successful login (which is what the new line does) otherwise the application continually redirects to welcome.html.

Show

Greg Dick added a comment - 28/May/12 4:59 PM I think I have a correctly configured application that acts as intended. Using standard icepush jars has the problems Evgheni has described in conjunction with Spring. Using EPS in this case allows the polling requests from the client to be handled outside the spring applications context, which allows the session to expire normally. The other thing about the existing Spring Security tutorial is its use of xhtml pages with jsf extensions. It appears that when the application navigates to one of these pages, the EPS poll for updates operates. The application will work properly if the content with the .xhtml (the JSF content) is the only content accessed when the user is logged in. I've created three pages with a .html extension (could be .jsp as well ) that is accessible to the user when the user is not logged in. welcome.html A page for the user to land on when first accessing the application. This used to be main.xhtml (.jsf) and as such would start the icepush listen requests when visited, hence the session expiry messages prior to the user logging in. That behaviour is undesireable although it must be stated that it's not an error nor is it unexpected. The visitor to many shopping sites creates a Session object for shopping carts prior to logging in to make a purchase. In the tutorial, this unsecured welcome page can represent any number of pages. loginFailed.html - a page to land on when a login attempt fails. formLogin.html - a page with simple form based login with fields named to Springs login standards. sessionExpired.html - a page to land on when the session expires. Here's the full version of applicationContext-security.xml. The changes to this file are twofold: 1) rename every .jsf page to a corresponding .html version in the /general/logins/ directory 2) Add the following line to the form-login tag: default-target-url="/main.jsf" <http realm="Sample Realm" entry-point-ref="authenticationEntryPoint" auto-config="false"> <custom-filter ref="sessionManagementFilter" before="SESSION_MANAGEMENT_FILTER" />  <intercept-url pattern='/secure/**' access='ROLE_READER' />  <form-login login-page="/general/logins/formLogin.html" authentication-failure-url="/general/logins/loginFailed.html" default-target-url="/main.jsf" />   <logout logout-url="/j_spring_security_logout" logout-success-url="/general/logins/formLogin.html" invalidate-session="true"/> </http> <beans:bean id="authenticationEntryPoint" class="org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint"> <beans:property name="loginFormUrl" value="/general/logins/formLogin.html" /> </beans:bean>  <authentication-manager alias="authenticationManager"> <authentication-provider> <user-service> <user name="joe.blow@icesoft.com" password="pass1234" authorities="ROLE_READER"/> <user name="ben.simpson@icesoft.com" password="pass5678" authorities="ROLE_READER"/> </user-service> </authentication-provider> </authentication-manager> <beans:bean id="sessionManagementFilter" class="org.springframework.security.web.session.SessionManagementFilter"> <beans:constructor-arg name="securityContextRepository" ref="httpSessionSecurityContextRepository" /> <beans:property name="invalidSessionUrl" value="/general/logins/sessionExpired.html" />  <beans:property name="redirectStrategy" ref="jsfRedirectStrategy" /> </beans:bean> <beans:bean id="jsfRedirectStrategy" class="com.icesoft.spring.security.JsfRedirectStrategy"/> <beans:bean id="httpSessionSecurityContextRepository" class="org.springframework.security.web.context.HttpSessionSecurityContextRepository"/> </beans:beans> The tutorial used to work by redirecting to main.jsf as the welcome page from index.html. Then, without the additional line in step two above, the application would rerequest main.jsf when the user logged in and then the user would be able to see the additional links available to them. Now an additional target is required to get the user redirected to a .jsf page after successful login (which is what the new line does) otherwise the application continually redirects to welcome.html.

Hide

Permalink

Ken Fyten added a comment - 29/May/12 3:51 PM

Marked Resolved. Evgheni to verify and re-open if required.

Show

Ken Fyten added a comment - 29/May/12 3:51 PM Marked Resolved. Evgheni to verify and re-open if required.

People

Assignee:

Greg Dick

Reporter:

Evgheni Sadovoi

Votes:

0 Vote for this issue

Watchers:

1 Start watching this issue

Dates

Created:

14/May/12 3:37 PM

Updated:

14/Nov/14 5:36 PM

Resolved:

29/May/12 3:51 PM