Re: Detect session timeout for 401 http code.

Thu, 06 Mar 2014 05:13:18 -0800 


When I receive a request on an expired session it is currently handled by our
authentication filter
      onAccessDenied(ServletRequest request, ServletResponse response)
which just sends a 401 (unauthorized) as a response.

Now I would like to add additional information ("session expired") to the
response.

Now the question is what would be an easy&clean way to implement this.


> Dominic Farr <[email protected]> hat am 6. März 2014 um 11:37 geschrieben:
> 
>  Not sure I understand. What sort of information do you need to add? Add to
> what? The subject? The response?
> 
>  You have access to the subject anywhere you like with
> SecurityUtils.getSubject()
> 
>  In the listener, when onExpiration is called you can use
> SecurityUtils.getSubject() to grab the subject. Will that work?
> 
> 
> 
> 
>  On 6 March 2014 09:56, Steve B <[email protected]
> <mailto:[email protected]> > wrote:
>    > > 
> >    That's right, I can attach to onExpiration(Session session). But how do I
> > pass the info to the subject such that I can query this flag in the
> > onAccessDenied method ?
> > <http://shiro.apache.org/static/current/apidocs/src-html/org/apache/shiro/session/SessionListener.html#line.58>
> > 
> > 
> > 
> > 
> >     > > > Dominic Farr < [email protected]
> >     > > > <mailto:[email protected]> > hat am 6. März 2014 um 10:43
> >     > > > geschrieben:
> > > 
> > >     yes. shiro has session listener.
> > > 
> > >     
> > > <http://shiro.apache.org/static/current/apidocs/org/apache/shiro/session/SessionListener.html>
> > > 
> > > 
> > >     On 6 March 2014 09:38, Steve B <[email protected]
> > > <mailto:[email protected]> > wrote:
> > >       > > > >       Hi,
> > > > 
> > > >       is there an easy way to detect if a session has expired ?
> > > > 
> > > >       I got a sub-class of FormAuthenticationFilter where I override
> > > > onAccessDenied and would like to add some additional info on why a 401
> > > > is returned.
> > > > 
> > > >       protected boolean onAccessDenied(ServletRequest request,
> > > > ServletResponse response) throws Exception
> > > >       {
> > > >          ...
> > > >           // issue 401
> > > >           httpResponse.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
> > > >       }
> > > > 
> > > >       I thought about using a session listener, but it is not clear to
> > > > me where I should store expiration/stop info.
> > > > 
> > > > 
> > > >       Thanks,
> > > > 
> > > >       Steve
> > > >     > > > 
> > >    > > 
> > 
> >  >

Reply via email to