java - handle session expired event in spring based web application

Question

I am using Spring security feature in my application, but I found out that when the session expired, all the request ajax return the page login.jsp(not redirect, in http response, it puts all the html content) which is the login page of my webapp. I used a lot of ajax request in my app and the goal is return certain error code like 510 instead of the login page.

<session-management session-authentication-strategy-ref="example" /> 

without invalid-session-url I tried to make invalid-session-url = "", doesn't work. Many thanks

Answer 1

Use custom AuthenticationEntryPoint:

package com.example.spring.security
// imports here

public class AjaxAwareAuthenticationEntryPoint
     extends LoginUrlAuthenticationEntryPoint {

  public AjaxAwareAuthenticationEntryPoint(final String loginFormUrl) {
    super(loginFormUrl);
  }

  @Override
  public void commence(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException authException)
      throws IOException, ServletException {

    if ("XMLHttpRequest".equals(request.getHeader("X-Requested-With"))) {
      response.sendError(403, "Forbidden");
    } else {
      super.commence(request, response, authException);
    }
  }
}

Define a bean and use it as entry-point-ref in <http> element:

<http entry-point-ref="authenticationEntryPoint">
  <!-- more configuration here -->
</http>

<bean id="authenticationEntryPoint"
   class="com.example.spring.security.AjaxAwareAuthenticationEntryPoint">
 <constructor-arg value="/login.jsp"/>
</bean>