Hi all,
When a request is posted with an expired cookie for the form
authentication handler, there are basically two options to continue with
: (1) continue with the request as if no cookie was provided or (2) fail
authentication and request username/password again. Default is the first
behaviour which may be changed by configuration.
This all works fine in a plain browser-based environment. As soon as
applications send requests with the cookie or AJAX frameworks send XHR
requests with the cookie, this does not really work properly:
Continuning as anonymous might cause unexpected reactions while handling
the request and sending the login form (or redirecting to the login
form) may also not be desired.
Since most (if not all) Ajax frameworks (at least JQuery and ExtJS do)
send an "X-Requested-With" set to "XMLHttpRequest" we could make use of
this as follows:
if (cookie is expired) {
if ("XMLHttpRequest".equals(
request.getHeader("X-Requested-With"))) {
// signal to AJAX the request is forbidden
send(403/FORBIDDEN)
return DOING_AUTH;
} else if (doForm) {
// config requested to be logged in again
return FAIL_AUTH;
} else {
// default, check next auth handler (or anon)
return null;
}
}
WDYT ?
Regards
Felix
