3

Hi I am facing a problem with spring security+Spring MVC+angular javascript.. When the session is invalid I want to request the (whole) page to get redirected to login page.

I tried <session-management invalid-session-url="/login" /> But its not working since its a one page app...

Or any suggestion to handle sessiontimeout in angular javascript single page app

Any help ?

Improve this question

3 Answers 3

Reset to default
4

You can write or use HTTP interceptors like this https://github.com/witoldsz/angular-http-auth to capture timeout issues.

Basically when session expires any server request starts to return 401, which can be capture by using HTTP interceptor and necessary redirects can be performed.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

2

I made a simple code for checking session timeout and redirect to login page for spring security. It's not a smart solution, but returned status is 200 and response doesn't contain redirect information.

var app = angular.module("app");
app.factory("sessionInjector", ['$log', function($log){
    return {
        request: function(config) {return config;},
        response: function(response) {
            if (typeof response.data === "string" && response.data.indexOf("login") > -1) {
                alert("Session expired.");
                location.reload();
            }
            return response;
        }
    };
}]);
app.config(["$httpProvider", function($httpProvider){
    $httpProvider.interceptors.push("sessionInjector");
}]);
Improve this answer

Comments

0

I have tackled this issue with simple configuration, on Spring Security's end, and with Http Interceptor on angularjs's end:

Spring Security Configuration:

@Override
protected void configure(HttpSecurity http) throws Exception {
  http
    .csrf()
    .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
  .and()
     .authorizeRequests()
        .antMatchers("/somePage").hasRole("SOME_ROLE")
  .and()
      .formLogin()
  .and()
     .authorizeRequests()
        .antMatchers("**/api/**").hasRole("SOME_ROLE")
        .anyRequest().authenticated()
  .and()
    .httpBasic()
  .and()
    .logout()
      .invalidateHttpSession(true)
      .logoutSuccessUrl("/login")
    .and()
      .sessionManagement()
         .maximumSessions(1);

  }

@Bean
public HttpSessionEventPublisher httpSessionEventPublisher() {
      return new HttpSessionEventPublisher();
}

angularjs code:

app.config(['$httpProvider',
    function ($httpProvider) {
        $httpProvider.interceptors.push('httpInterceptor');
        ...
    }])

app.factory("httpInterceptor", ["$q", "$window", "$log",
function ($q, $window, $log) {
    return {
        responseError: function(response) {
            switch (response.status) {
            case 401:
            case 403:
                $window.location.reload();
                return;
            }
        }
    }
}]);

When combining formLogin() for pages, and httpBasic() for API calls as well as managing sessions, you will be redirected to login page when you are accessing the site pages, and will get 401 Status Code on unauthenticated API calls, that can be caught by angular's interceptor, then you can reload the page or do whatever you need to do

Hope this helps :)

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.