tags:

views:

264

answers:

2
+1  Q: 

How to handle authentication through AJAX with a java web app that uses form based login

I have a java web application running on WebSphere 7. The application uses form authentication method and part of the application accesses some protected resources using ajax requests. However, when the user's session expires, I am getting the login page in place of the content that is supposed to be refreshed by the ajax request.

Is there a good way to handle this problem? WebSphere returns a response status 200 with the login page so I cannot rely on that.

Maybe there is a way to tell the server that basic authentication should be used in certain circumstances but I don't know how.

I also thought of checking first if the session is new by making a request to unprotected resources first then return a certain status but it looks like a code smell solution...

A: 

You can send back some unique response or some error code(make sure you wont get this error code as valid response in any case) when the user session is not there to the Ajax call from WebSphere. And in the Ajax call method, on process response, check whether its error code.If its error code, redirect him to login page or do what ever and other case will be the valid data.

Umesh  2009-09-18 14:37:17
That would need checking the state first by sending a request to unprotected resources first. WebSphere is intercepting the request because resources are protected.
svachon  2009-09-18 14:46:42
+1  A: 

This is how I handled it in a similar situation. In our case, the AJAX response is always JSON. When the login expires, the authentication filter always sends a login form in HTML. So I check the content-type like this,

 if ((this.getHeader('Content-type') || '').include('application/json'))

If it's not JSON, I simply redirect to another protected page, which will trigger a full screen login and then that page will direct user back to the AJAX page.

ZZ Coder  2009-09-18 15:10:46
In my case the AJAX response is a html snippet.
svachon  2009-09-18 15:46:17
You can search for the signature of the login page (like name="password"). You should wrap HTML fragment inside JSON so you can easily return errors and multiple data.
ZZ Coder  2009-09-18 16:37:00
Finally wrapped my html fragment inside JSON as you suggested and added a check for the content type. Works well thanks!
svachon  2009-09-22 14:55:16

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java