possible to add exceptions to expired session redirect?

[Eric Mulvihill <er...@gmail.com>]

Shiro's automatic redirect back to the last page viewed upon logging back in
after a session expiration is working well.. actually a bit too well. 

We came across a case where a file download link (generated from a REST call
being authenicated by Shiro) is the URL being redirected to. This is not
ideal because the user stays on our login page and gets multiple copies of
the file when they click Login, instead of being redirected somewhere
useful.

I would much rather have this url excluded from the redirect behavior, and
have the user just land on the fallback landing page in this case.

Is this possible? The only other thing I can think to do is do a defensive
check beforehand, and prevent the action if their session is expired. 

Thanks for any ideas.



--
View this message in context: http://shiro-user.582556.n2.nabble.com/possible-to-add-exceptions-to-expired-session-redirect-tp7578949.html
Sent from the Shiro User mailing list archive at Nabble.com.

Re: possible to add exceptions to expired session redirect?

[Les Hazlewood <lh...@apache.org>]

Hi Eric,

Just out of curiosity, how did this happen for a REST call?  I would think
it would be ideal to return a 401 instead of redirecting the user to a
login page, ideally allowing an HTTP authentication scheme (like Basic over
TLS) to execute.

Also, I don't know if this might address your issue, but I created an issue
a while ago that supports multiple authentication schemes via a single
authentication filter:

https://issues.apache.org/jira/browse/SHIRO-414

Thoughts?

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282


On Thu, Jul 25, 2013 at 3:13 PM, Eric Mulvihill <er...@gmail.com>wrote:

> Shiro's automatic redirect back to the last page viewed upon logging back
> in
> after a session expiration is working well.. actually a bit too well.
>
> We came across a case where a file download link (generated from a REST
> call
> being authenicated by Shiro) is the URL being redirected to. This is not
> ideal because the user stays on our login page and gets multiple copies of
> the file when they click Login, instead of being redirected somewhere
> useful.
>
> I would much rather have this url excluded from the redirect behavior, and
> have the user just land on the fallback landing page in this case.
>
> Is this possible? The only other thing I can think to do is do a defensive
> check beforehand, and prevent the action if their session is expired.
>
> Thanks for any ideas.
>
>
>
> --
> View this message in context:
> http://shiro-user.582556.n2.nabble.com/possible-to-add-exceptions-to-expired-session-redirect-tp7578949.html
> Sent from the Shiro User mailing list archive at Nabble.com.
>