ViewExpiredException not thrown on ajax request if JSF page is protected by j_security_check

by

I was able to reproduce your problem. What is happening here is that the container invokes a RequestDispatcher#forward() to the login page as specified in security constraint. However, if the login page is by itself a JSF page as well, then the FacesServlet will be invoked as well on the forwarded request. As the request is a forward, this will simply create a new view on the forwarded resource (the login page). However, as it’s an ajax request and there’s no render information (the whole POST request is basically discarded during the security check forward), only the view state will be returned.

Note that if the login page were not a JSF page (e.g. JSP or plain HTML), then the ajax request would have returned the whole HTML output of the page as ajax response which is unparseable by JSF ajax and interpreted as “empty” response.

It is, unfortunately, working “as designed”. I suspect that there’s some oversight in the JSF spec as to security constraint checks on ajax requests. The cause is after all understandable and fortunately easy to solve. Only, you actually don’t want to show an error page here, but instead just the login page in its entirety, exactly as would happen during a non-ajax request. You just have to check if the current request is an ajax request and is been forwarded to the login page, then you need to send a special “redirect” ajax response so that the whole view will be changed.

You can achieve this with a PhaseListener as follows:

public class AjaxLoginListener implements PhaseListener {

    @Override
    public PhaseId getPhaseId() {
        return PhaseId.RESTORE_VIEW;
    }

    @Override
    public void beforePhase(PhaseEvent event) {
        // NOOP.
    }

    @Override
    public void afterPhase(PhaseEvent event) {
        FacesContext context = event.getFacesContext();
        HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();
        String originalURL = (String) request.getAttribute(RequestDispatcher.FORWARD_REQUEST_URI);
        String loginURL = request.getContextPath() + "/login.xhtml";

        if (context.getPartialViewContext().isAjaxRequest()
            && originalURL != null
            && loginURL.equals(request.getRequestURI()))
        {
            try {
                context.getExternalContext().invalidateSession();
                context.getExternalContext().redirect(originalURL);
            } catch (IOException e) {
                throw new FacesException(e);
            }
        }
    }
}

Update this solution is since OmniFaces 1.2 been built into the OmniPartialViewContext. So if you happen to use OmniFaces already, then this problem is fully transparently solved and you don’t need a custom PhaseListener for this.

More Related Contents:

  1. Session timeout and ViewExpiredException handling on JSF/PrimeFaces ajax request
  2. How to find out client ID of component for ajax update/render? Cannot find component with expression “foo” referenced from “bar”
  3. When to use valueChangeListener or f:ajax listener?
  4. What is the correct way to deal with JSF 2.0 exceptions for AJAXified components?
  5. What values can I pass to the event attribute of the f:ajax tag?
  6. Rendering other form by ajax causes its view state to be lost, how do I add this back?
  7. Form submit in conditionally rendered component is not processed
  8. Process onclick function after ajax call
  9. Can you update an h:outputLabel from a p:ajax listener?
  10. How to pass parameter to f:ajax in h:inputText? f:param does not work
  11. List of events
  12. ICEfaces libary in classpath prevents Save As dialog from popping up on file download
  13. Render multiple components with f:ajax
  14. Ajax update and submission using h:commandButton
  15. What security risks exist when setting Access-Control-Allow-Origin to accept all domains?
  16. Modify Address Bar URL in AJAX App to Match Current State
  17. API Gateway CORS: no ‘Access-Control-Allow-Origin’ header
  18. Download a file from Servlet using Ajax
  19. Can an AJAX response set a cookie?
  20. com.sun.faces.numberOfViewsInSession vs com.sun.faces.numberOfLogicalViews
  21. Exception handling in JSF ajax requests
  22. How can I catch and process the data from the XHR responses using casperjs?
  23. How to make a SPA SEO crawlable?
  24. Timed out waiting for asynchronous script result while executing protractor scripts with appium
  25. Returning redirect as response to Ajax (fetch, XHR, etc.) request
  26. What does a Ajax call response like ‘for (;;); { json data }’ mean? [duplicate]
  27. How to use Ajax within Sonata Admin forms?
  28. setAttribute, onClick and cross browser compatibility
  29. How to Implement ajax pagination with will_paginate gem
  30. Selenium WebDriver – determine if element is clickable (i.e. not obscured by dojo modal lightbox)

Leave a Comment