Skip to content

Instantly share code, notes, and snippets.

@mikeapr4
Created February 12, 2016 16:01
Show Gist options
  • Save mikeapr4/d76ed0f2ae9779975bf1 to your computer and use it in GitHub Desktop.
Save mikeapr4/d76ed0f2ae9779975bf1 to your computer and use it in GitHub Desktop.
Wrapper for Spring Security AuthenticationEntryPoint interface, which will intercept 302 Redirects which are not supported generally in Browsers for Ajax Requests.
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import java.io.IOException;
public class AjaxAwareAuthEntryPointWrapper implements AuthenticationEntryPoint {
// http://getstatuscode.com/440
private static final int TIMEOUT_ERROR_CODE = 440;
private AuthenticationEntryPoint realEntryPoint;
public AjaxAwareAuthEntryPointWrapper(AuthenticationEntryPoint toWrap) {
this.realEntryPoint = toWrap;
}
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
HttpServletResponse proxyRes = response;
// For an Ajax request use a RS wrapper to intercept the 302 and make it a 4xx
String reqWith = request.getHeader("X-Requested-With");
if (reqWith != null && reqWith.equals("XMLHttpRequest")) {
// if the Request arrived here with a session id but no valid session then assume the session has timed out
boolean hasSessionTimedOut = request.getRequestedSessionId() != null && !request.getRequestedSessionId().isEmpty() &&
(request.getSession(false) == null || request.getSession(false).isNew());
final int errorCode = hasSessionTimedOut ? TIMEOUT_ERROR_CODE : HttpServletResponse.SC_UNAUTHORIZED;
proxyRes = new HttpServletResponseWrapper(response) {
private HttpServletResponse _getHttpServletResponse() {
return (HttpServletResponse) super.getResponse();
}
@Override
public void sendRedirect(String location) throws IOException {
this._getHttpServletResponse().setHeader("Location", location);
this._getHttpServletResponse().sendError(errorCode);
}
};
}
realEntryPoint.commence(request, proxyRes, authException);
}
}
@mikeapr4
Copy link
Author

Convenient wrapper class which proxies the AuthenticationEntryPoint interface (https://docs.spring.io/spring-security/site/docs/current/apidocs/org/springframework/security/web/AuthenticationEntryPoint.html).

It was designed with a CAS spring security configuration, but the proxy respects all the interfaces involved and should be neatly abstracted. Within the class a further wrapper is used around the response in order to intercept the 302 Redirect directly. Due to the nature of HttpServletResponse this needs to be intercepted at the moment it's triggered, no later.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment