Quantcast

Web Filter to return HTTP status code

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Web Filter to return HTTP status code

Marcus Bond

Hi,

 

Just wondered if there is a web filter configuration that would allow a custom HTTP Status code and message to be passed to a client in the event that they are not logged in (e.g. session timeout)?

 

My current setup is that one set of resources has noSessionCreation, authcBasic filters enforcing basic authentication on every request (this is external API), and another set uses authc since this is for a browser and redirects to the login page in the event the user is not logged in. However the browser app is actually AJAX based and in the event the users session has timed out what happens is that I get an OK response from the server with the contents of the login page since the browser “handles” the “302 moved temporarily” itself within the AJAX call. Since a user must login prior to reaching the AJAX based pages, what would be ideal is a filter on the AJAX API that doesn’t have any built in authentication mechanism (no forms, no http headers) and relies on an existing  session. In the event this has timed out then I would like to simply set the HTTP status on the response and perhaps the Location header to allow the AJAX client to send the browser to the login page (effectively letting the client side handle what the FormAuthenticationFilter currently does).

 

Is there anything existing that can do this (I will roll my own if necessary but rying to avoid reinventing the wheel).

 

Regards,

Marcus.

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Web Filter to return HTTP status code

Les Hazlewood-2
Hi Marcus,

Will the existing FormAuthenticationFilter or PassThruAuthenticationFilter (or any  non HTTP-header-based Filter) not work?

These Filters already perform a 302 (or 303) redirect to a configured 'loginPage' property.  Regardless of the client, (AJAX or not), the response is still going to be an HTTP 302 (or 303) with the Location header set.  Is that enough?  Or might something else be required?

Cheers,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk


On Fri, Aug 3, 2012 at 5:23 AM, Marcus Bond <[hidden email]> wrote:

Hi,

 

Just wondered if there is a web filter configuration that would allow a custom HTTP Status code and message to be passed to a client in the event that they are not logged in (e.g. session timeout)?

 

My current setup is that one set of resources has noSessionCreation, authcBasic filters enforcing basic authentication on every request (this is external API), and another set uses authc since this is for a browser and redirects to the login page in the event the user is not logged in. However the browser app is actually AJAX based and in the event the users session has timed out what happens is that I get an OK response from the server with the contents of the login page since the browser “handles” the “302 moved temporarily” itself within the AJAX call. Since a user must login prior to reaching the AJAX based pages, what would be ideal is a filter on the AJAX API that doesn’t have any built in authentication mechanism (no forms, no http headers) and relies on an existing  session. In the event this has timed out then I would like to simply set the HTTP status on the response and perhaps the Location header to allow the AJAX client to send the browser to the login page (effectively letting the client side handle what the FormAuthenticationFilter currently does).

 

Is there anything existing that can do this (I will roll my own if necessary but rying to avoid reinventing the wheel).

 

Regards,

Marcus.

 


Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Web Filter to return HTTP status code

Marcus Bond

Sadly Les they couldn’t quite do what I wanted (don’t think so anyway)..

The FormAuthenticationFilter / PassThrough causes the browser to redirect in a way that is transparent to the AJAX call so the AJAX call ultimately receives a 200 OK with the login page as the response body.

 

I ended up implementing it as follows:

 

FormAuthenticationFilter secures the application web page redirecting to login which on success takes the user to the application web page, all this is none AJAX standard form submit.

The AJAX API is filtered with a simple filter (that inherits from up the hierarchy in AccessControlFilter) that does a subject.isAuthenticated check in “isAccessAllowed” and in its “onAccessDenied” handles the response by sending a 401 with WWW-Authentication header and a custom challenge scheme that the AJAX client understands.

 

Seems to work nicely enough, I’m planning to write it up so will post a link in case anyone else is interested in a similar thing.

 

Regards,

Marcus.

 

 

From: Les Hazlewood [mailto:[hidden email]]
Sent: 07 August 2012 00:44
To: [hidden email]
Subject: Re: Web Filter to return HTTP status code

 

Hi Marcus,

 

Will the existing FormAuthenticationFilter or PassThruAuthenticationFilter (or any  non HTTP-header-based Filter) not work?

 

These Filters already perform a 302 (or 303) redirect to a configured 'loginPage' property.  Regardless of the client, (AJAX or not), the response is still going to be an HTTP 302 (or 303) with the Location header set.  Is that enough?  Or might something else be required?

 

Cheers,


--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk

On Fri, Aug 3, 2012 at 5:23 AM, Marcus Bond <[hidden email]> wrote:

Hi,

 

Just wondered if there is a web filter configuration that would allow a custom HTTP Status code and message to be passed to a client in the event that they are not logged in (e.g. session timeout)?

 

My current setup is that one set of resources has noSessionCreation, authcBasic filters enforcing basic authentication on every request (this is external API), and another set uses authc since this is for a browser and redirects to the login page in the event the user is not logged in. However the browser app is actually AJAX based and in the event the users session has timed out what happens is that I get an OK response from the server with the contents of the login page since the browser “handles” the “302 moved temporarily” itself within the AJAX call. Since a user must login prior to reaching the AJAX based pages, what would be ideal is a filter on the AJAX API that doesn’t have any built in authentication mechanism (no forms, no http headers) and relies on an existing  session. In the event this has timed out then I would like to simply set the HTTP status on the response and perhaps the Location header to allow the AJAX client to send the browser to the login page (effectively letting the client side handle what the FormAuthenticationFilter currently does).

 

Is there anything existing that can do this (I will roll my own if necessary but rying to avoid reinventing the wheel).

 

Regards,

Marcus.

 

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Web Filter to return HTTP status code

Les Hazlewood-2
Sounds good - I look forward to reading it! 

Thanks for the update,

--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | 888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk

On Tue, Aug 7, 2012 at 3:30 AM, Marcus Bond <[hidden email]> wrote:

Sadly Les they couldn’t quite do what I wanted (don’t think so anyway)..

The FormAuthenticationFilter / PassThrough causes the browser to redirect in a way that is transparent to the AJAX call so the AJAX call ultimately receives a 200 OK with the login page as the response body.

 

I ended up implementing it as follows:

 

FormAuthenticationFilter secures the application web page redirecting to login which on success takes the user to the application web page, all this is none AJAX standard form submit.

The AJAX API is filtered with a simple filter (that inherits from up the hierarchy in AccessControlFilter) that does a subject.isAuthenticated check in “isAccessAllowed” and in its “onAccessDenied” handles the response by sending a 401 with WWW-Authentication header and a custom challenge scheme that the AJAX client understands.

 

Seems to work nicely enough, I’m planning to write it up so will post a link in case anyone else is interested in a similar thing.

 

Regards,

Marcus.

 

 

From: Les Hazlewood [mailto:[hidden email]]
Sent: 07 August 2012 00:44
To: [hidden email]
Subject: Re: Web Filter to return HTTP status code

 

Hi Marcus,

 

Will the existing FormAuthenticationFilter or PassThruAuthenticationFilter (or any  non HTTP-header-based Filter) not work?

 

These Filters already perform a 302 (or 303) redirect to a configured 'loginPage' property.  Regardless of the client, (AJAX or not), the response is still going to be an HTTP 302 (or 303) with the Location header set.  Is that enough?  Or might something else be required?

 

Cheers,


--
Les Hazlewood | @lhazlewood
CTO, Stormpath | http://stormpath.com | @goStormpath | <a href="tel:888.391.5282" value="+18883915282" target="_blank">888.391.5282
Stormpath wins GigaOM Structure Launchpad Award! http://bit.ly/MvZkMk

On Fri, Aug 3, 2012 at 5:23 AM, Marcus Bond <[hidden email]> wrote:

Hi,

 

Just wondered if there is a web filter configuration that would allow a custom HTTP Status code and message to be passed to a client in the event that they are not logged in (e.g. session timeout)?

 

My current setup is that one set of resources has noSessionCreation, authcBasic filters enforcing basic authentication on every request (this is external API), and another set uses authc since this is for a browser and redirects to the login page in the event the user is not logged in. However the browser app is actually AJAX based and in the event the users session has timed out what happens is that I get an OK response from the server with the contents of the login page since the browser “handles” the “302 moved temporarily” itself within the AJAX call. Since a user must login prior to reaching the AJAX based pages, what would be ideal is a filter on the AJAX API that doesn’t have any built in authentication mechanism (no forms, no http headers) and relies on an existing  session. In the event this has timed out then I would like to simply set the HTTP status on the response and perhaps the Location header to allow the AJAX client to send the browser to the login page (effectively letting the client side handle what the FormAuthenticationFilter currently does).

 

Is there anything existing that can do this (I will roll my own if necessary but rying to avoid reinventing the wheel).

 

Regards,

Marcus.

 

 


Loading...