Develop Reference

How to redirect login page in Jsf + Spring security project's when session timeout.?

below code fragment i added in my web xml file
<session-config>
<session-timeout>1</session-timeout>
</session-config>
i need to know is there any possibility to redirect to my login page when application session time out.?
I used JSF 2 + Spring security 3 + Richfaces final in my project
please advice me
thanks all

you want to that automatically or you want to redirect to login page after session timeout when user call some action.
for second one I can recommend this method. I've tested this method in my project and it will work for sure.
https://gist.github.com/banterCZ/5160269
but if you want to that with Richfaces use this:
Redirecting on session timeout in JSF-Richfaces-facelet

If i lost the JSF Session scope i want to change to the login page

I used JSF 2.2 Mojarra and the Session Scope.
After some time the Session Scope is delete or something else. If I go back to the login page and login again I have a new Session Scope and everything worked again.
If I worked on the web application the Session Scope is not lost, and I have no problem. So I think it must be lost after some time if I don't use the web application.
Any idea how can I automatically go back to the login page if I lost the session scope?

To expect this first your state saving method should be set to server like below
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
After this you should have a session time out like below in your web.xml
<session-config>
<session-timeout>20</session-timeout>
</session-config>
If you are idle for more than 20 minutes and if try to make any request from the page then you would see a exception stack trace of ViewExpiredException. Now to redirect to the login page on this you have a have the following config in web.xml
<error-page>
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
<location>your login page path</location>
<error-page>
This would work if you make a non ajax request from the page after session time out. Now to make it to work on click of a an ajax button it requires special exception handler for exceptions on ajax requests. you can use <pe:ajaxErrorHandler> from primefaces extension library.
To use this you need to have following in your faces-config.xml
<application>
<el-resolver> org.primefaces.application.exceptionhandler.PrimeExceptionHandlerELResolver</el-resolver>
</application>
<factory>
<exception-handler-factory>org.primefaces.application.exceptionhandler.PrimeExceptionHandlerFactory</exception-handler-factory>
</factory>
And primefaces extension namespace xmlns:pe="http://primefaces.org/ui/extensions".
Now in your page just have <pe:ajaxErrorHandler /> in your page. This would navigate to login page on ajax button click in a page after session time out.
For automatic navigation to login page on time out you can use <p:idleMonitor> Something like
<p:idleMonitor timeout="6000" onidle="idleDialog.show()" />
Please have a look at this question for correct implementation of idle monitor
Timeout via idlemonitor (primefaces)
If you are using icefaces please visit the following link
JSF Session timeout and auto redirect to login page without user intraction eventhough Ajax push is active
You can also use omnifaces FullAjaxExceptionHandler, Please google for this.
Hope this helps!!!

How to store values in session if cookie is disabled in spring MVC

I am using Spring MVC 3.1 and developing a web application.
I am storing loged in user name and password in session.since session is stored in cookie, once cookie is disabled I am not able to log in.
is there is any solution in SPRING MVC to store session other then cookie.
Thanks

You want to use URL rewriting to persist the JSESSIONID in the URL's across requests. You can configure the ServletContext to use the URL tracking mode (instead of COOKIE) as described here.
With Servlet 3.0 you do this:
<session-config>
<cookie-config>
<tracking-mode>URL</tracking-mode>
</cookie-config>
</session-config>

I noticed that in my application (Java EE 6, Spring MVC 3.2.4, Spring Security 3.1.4) JSTL's <c:url> tags start adding the sessionid value to each URL when cookies get disabled. Spring Security works normally. I did not have to do any configuration to achieve this.

Mysterious HttpSession and session-config dependency

Good day. I'm developing a Java web app with Servlets\JSP using Tomcat 7.0. During request from client I put and object into the session and use forward. After the forward processing the same request the object can be retreived if the secure parameter is false otherwise it is not stored in session.
<session-config>
<session-timeout>15</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
I've figured out that "...cookies can be created with the 'secure' flag, which ensures that the browser will never transmit the specified cookie over non-SSL...". I've configured Tomcat to use SSL, but that haven't helped. Changing the tracking mode to SSL haven't helped as well. How do session-config and HttpSession object correlate in this case? What could be the problem?

Session lost when switching from https to http (tomcat 6.0.26)

i'm developping a web app (jsf 2.0 + facelets + richfaces 3.3.3 + oracle 10g + tomcat 6.0.26)
in my app, there's is 1 path that is not secured, and the others are secured (web.xml):
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/faces/login.jsp</form-login-page>
<form-error-page>/faces/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>Admin_Resource</web-resource-name>
<description/>
<url-pattern>/faces/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>A</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<security-role>
<description>Role admin</description>
<role-name>A</role-name>
</security-role>
So, this path is not secured: /faces/client/*.
when i move from https tp http, i use this function:
FacesContext.getCurrentInstance().getExternalContext().redirect("http://url/faces/client/page.xhtml");
When i deploy my app, and use this url: http(s)://url/MyContext/faces/..., all worked fine.
But when i moved my app to the ROOT context, so i use this url : http(s)://url/faces/, my https session is lost when i move from https to http, then back to https. My login page shows up, so i need to re-type my login and password.
Why is my session lost ? Is there something wrong ?
Add: when i deploy my app, here's what i do (external server):
put my war file into webapp folder
start my server (that will decompress my war into folders,...), then stop it
i delete my war file
i replace the content of ROOT folder with the content of the decompressed war file
and restart my server again
but all works fine when i put my war into webapp folder, then start the server (that's all).
So, i think it's a context problem.
Do you have any ideas ?

This an old question but it's worth answering because I just ran into it and the answer ended up being really simple. First, it makes complete sense that the session should be regenerated on the same session cookie name when going back and forth between HTTP and HTTPS. By default in Tomcat the session cookie name is JSESSIONID.
In Tomcat you can very simply change the name of the session cookie. I had two webapps, one HTTP and another HTTPS, for admin tools. Anytime the HTTP webapp opened I lost my session in the HTTPS webapp. All I had to do was add the sessionCookieName to the context of my HTTPS webapp:
<context sessionCookieName="ANOTHERCOOKIENAME" ...
This won't help if you're switching between HTTP and HTTPS in the same webapp, but you shouldn't do that anyway.