Session Timeout and Realm Authentication and Posted Error Message

[Fu-Tung Cheng <fu...@yahoo.com>]

Hi,

My application has an ajax layer which asynchronously polls my tomcat server.  When the session for the user is destroyed, the next request causes a forward to the login jsp defined for the form realm.

On the login jsp I would like to output an error message like "Your session has been timed out".  Currently I've setup my ajax to detect a poll which returned a session timed out error, I then post a form with error=session.timeout to the url.  

The way the realm typically works is that you request a url say /hello.jsp, the app detects you need authenticate so it saves the original request and forwards you over to the login.jsp.  You fill in the fields, the auth recoignizes you, restores your original request and forwards you to hello.jsp.

Now in my case, the session times out, the client code detects the timeout and posts to /myapp.  The problem is that that auth then removes the post parameter but I need that to display the error message.

If I change the code to post to login.jsp then the post parameter shows up but the form authetication does work as it doesn't know where to take me once I click login as the original request specified the login page.

Any ideas?

I've tried using a query string and that works but then I end up with the query string being displayed from that point forward on the address bar of the browser.  I'd like to avoid that hence the post.

Thank you,

Fu-Tung


      


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Session Timeout and Realm Authentication and Posted Error Message

[Fu-Tung Cheng <fu...@yahoo.com>]

Hi Chris,

Thank you for the response!

So the user will be sent to a non-secure page that just says "Session Timed out" and a link that they click to go back to the login page?  

The link will then be to a url that requires authentication and then the application works as before?

Interesting....   I think I was stuck in the details of how to get it to work just using the one login.jsp.  Learned a lot about the internals of tomcat doing that =)

Fu-Tung


--- On Thu, 10/9/08, Christopher Schultz <ch...@christopherschultz.net> wrote:

> From: Christopher Schultz <ch...@christopherschultz.net>
> Subject: Re: Session Timeout and Realm Authentication and Posted Error Message
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Date: Thursday, October 9, 2008, 9:29 PM
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Fu-Tung,
> 
> Fu-Tung Cheng wrote:
> > The way the realm typically works is that you request
> a url say
> > /hello.jsp, the app detects you need authenticate so
> it saves the
> > original request and forwards you over to the
> login.jsp.  You fill in
> > the fields, the auth recoignizes you, restores your
> original request
> > and forwards you to hello.jsp.
> > 
> > Now in my case, the session times out, the client code
> detects the
> > timeout and posts to /myapp.  The problem is that that
> auth then
> > removes the post parameter but I need that to display
> the error
> > message.
> 
> I have a similar setup on my own application, and I have
> elected to poke
> a hole through my authentication for those few URLs
> affected. This URLs
> are handled by code that will simply respond with a
> "session timeout"
> error. Then, your client can perform whatever login is
> necessary and
> then re-attempt the connection to the service URL.
> 
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla -
> http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkjud6AACgkQ9CaO5/Lv0PCv9gCgiI4ZmYKYi5uiTugFMN13/a4n
> D9wAoJhUvgY8Nv8l+Py5HCPAi+kPtxg0
> =kJJT
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail:
> users-help@tomcat.apache.org


      


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Session Timeout and Realm Authentication and Posted Error Message

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Fu-Tung,

Fu-Tung Cheng wrote:
> The way the realm typically works is that you request a url say
> /hello.jsp, the app detects you need authenticate so it saves the
> original request and forwards you over to the login.jsp.  You fill in
> the fields, the auth recoignizes you, restores your original request
> and forwards you to hello.jsp.
> 
> Now in my case, the session times out, the client code detects the
> timeout and posts to /myapp.  The problem is that that auth then
> removes the post parameter but I need that to display the error
> message.

I have a similar setup on my own application, and I have elected to poke
a hole through my authentication for those few URLs affected. This URLs
are handled by code that will simply respond with a "session timeout"
error. Then, your client can perform whatever login is necessary and
then re-attempt the connection to the service URL.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjud6AACgkQ9CaO5/Lv0PCv9gCgiI4ZmYKYi5uiTugFMN13/a4n
D9wAoJhUvgY8Nv8l+Py5HCPAi+kPtxg0
=kJJT
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org