Problem on ItsNat integrate with Shiro

[Licky]

In order to provide a scalable authentication to the system, Shiro (http://shiro.apache.org/index.html) was applied for such purpose. Shiro will redirect user to the login page automatically if auth failed.

The problem as described below:
Once the user login success, he can do anything as he want without problem. However, if the user idle for a long time until session timeout and he come back to click on the ItsNat document. ItsNat will sent Ajax to server for processing. Shiro at this moment detected the unauthenticated request because of previous session expired, it will redirect to login page. However, redirect the Ajax request to login page will not cause Browser really goes to the login page. The syndrome is the browser looks as if hanged without any response to user's action.

[Jose Maria Arranz Santamaria]

Hi Licky

According to Apache Shiro docs the straight and easy way to match web and Shiro sessions is using only the web session also for Shiro:

https://shiro.apache.org/web.html

Anyway the standard redirection of Shiro when expired sessions is no very single page interface friendly, that is, it seems not very compatible with an ajax intensive web app/site.

I would recommend you using the typical expired session detection and redirection offered by ItsNat through global listeners instead of relying on Shiro (let Shiro fail if possible) you can find expiring example code here: 

http://itsnat.sourceforge.net/index.php?_page=support.tutorial.spi_site

Code:

itsNatServlet.addEventListener(new SPITutGlobalEventListener());

And: 

public class SPITutGlobalEventListener implements EventListener
{
    public SPITutGlobalEventListener()
    {
    }

    public void handleEvent(Event evt)
    {
        ItsNatEvent itsNatEvt = (ItsNatEvent)evt;
        if (itsNatEvt.getItsNatDocument() == null)
        {
            StringBuilder code = new StringBuilder();
            code.append("if (confirm('Expired session. Reload?'))");
            code.append("  window.location.reload(true);");
            ClientDocument clientDoc = itsNatEvt.getClientDocument();
            clientDoc.addCodeToSend(code.toString());
            itsNatEvt.getItsNatEventListenerChain().stop();
        }
    }
}

Of course previous code is just an example, you can force a redirection to a concrete page.

Regards

--
You received this message because you are subscribed to the Google Groups "itsnat" group.
To unsubscribe from this group and stop receiving emails from it, send an email to itsnat+un...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jose Maria Arranz Santamaria]

I've forgotten to say that 

itsNatServlet.addEventListener(new SPITutGlobalEventListener());

registers a global AJAX listener, all ajax requests are ever dispatched to this listener, when session is expired all user ItsNatDocuments are lost , this is why the event returns a null for the target document, the way to detect web session is lost (exactly the target itsnat doc is lost in server but in practice is due to session expiring), remember this is the process of an ajax request, this is why redirection is done with JS code and using the ClientDocument object, which represents the client browser in spite not existing a ItsNatDocument counterpart.

[Jose Maria Arranz Santamaria]

Licky I'm replying your message because I don't know why is not automatically published by Google Groups.

El sábado, 19 de abril de 2014, Licky <use.by...@gmail.com> escribió:

Thanks Jose for your suggestion.

In fact, the ItsNat servlet can only be processed after Shiro auth filter. Therefore, session detection in this case is useless unless Shiro is not applied.

Finally, I found out a solution is setting a filter before Shiro auth filter to check whether the user is authenticated. If session expired, the user will becomes to unauthenticated. My filter will sent out a javascript to client browser for location redirection to the login page.