I use tomcat's form based authentication on a webapp which use most of the time ajax call.
The configuration of the realm is pretty well documented, and it's working.
My problem begin when the user's session is ended, for any reason.
The subsequent ajax call will have a 200 ok response, with the content being the login page.
I'm looking for a way to change the beavaior of tomcat, like sending a 401 instead of hiding the content, forcing a client redirect, or any other solution that let the JS script know that the session is over and authentication is required once again.
After reading this http://www.htmlcodetutorial.com/document/index_tagsupp_13.html, I tried to add some custom header with http-equiv meta tag in my html login page.
But it doesn't work as expected. It seams that tomcat doesn't read static content in order to add headers.
I should also mention this post:
http://blog.pengoworks.com/index.cfm/2007/10/9/Expiring-Session-via-AJAX-using-HTTP-Response-Headers
What i end up doing is, on the js side, scan start of every response using a short regexp like this:
/^<!DOCTYPE html>/.test(responseBody)
It works, but take extra time for every request.
It only work because i know that i never use html as answer from the server.
Related
I started integrating SecureSocial in my play/scala app, but I don't really like all the redirects it does between it's different views.
example - try to login from it's default login page and if you put in a wrong pass you will be redirected to a different page (url) but with the same login form. the only thing that is different is that there is an error message...
I want a simple login form (user/password provider) at the corner of my main page that submits it's data using ajax, this data is validated on the server and a response is made to either display error message/s or change the window.location.
Next to this form I will put a link to go to a more advanced login page that adds the option to use other providers like fb/twitter etc..
But from that page I also want to use ajax to submit the details and get the response.
I tried to browse into the SecureSocial source but got a little lost in there.
Can any one give me an idea how to use SecureSocial's but without using any of it's views?
NOTE: I'm not interested in customizing their views, It's not just a CSS/design issue, I want to handle the login details Ajaxly and not with normal form submission followed by redirects...
After some more rummaging around in SecureSocial code I got a better understanding of how it operates.
You can use any of the providers you listed in the play.plugins file seperatly to authenthicate the user's info from your own login/auth code. just make sure you send the right parameters that the provider needs.
I liked the way SecureSocial's ProviderController class dynamically decided what provider to use, based on a parameter. But I didn't like the responses it made - redirect.. I wanted to respond to an ajax request with some data and let the client side js handle it.
This is my solution:
pretty much copy all of ProviderController code to my own Auth.scala file (a Controller).
Changed the redirects related to "case ex, case _", kept the redirect on successful auth as it adds the SecureSocial session key related to the user.
Removed all the SecureSocial related routes from my routes file.
Put an additional hidden field with the logintype (userpass/google/fb/etc...) and configured my login ajax post to sent this along with the post to my Auth controller.
If you need more info comment here and I'll edit the answer.
My web app runs under Tomcat, it uses AJAX requests very intensively, and during the development process I have to redeploy the web app intensively too. After the redeployment I usually simply refresh the page knowing that the user session is dropped, but I always get to the scenario described below:
Go to some page, a really big page with many JS-scripts included, that actually makes those intensive AJAX requests.
Stop Tomcat or redeploy the web app.
Refresh the page.
Enter the credentials in the sign-in form to authenticate.
Suddenly get the last AJAX request response in the browser window and the AJAX request URL in the URL bar.
Wow... It looks strange for me that AJAX request URLs appear in the URL bar along with their response in the web page display area. This actually happens to Firefox and Chrome (haven't tested it in other browsers). Unfortunately, I cannot reproduce the same behavior in a simple page written from scratch. Frankly speaking, I don't really understand what happens to such requests and why do browsers "think" if AJAX requests/responses are entered in URL bar by user...
Your possible explanations or hints for such a strange behavior are very and very appreciated. Thanks!
(Perhaps it can help: All AJAX requests are performed with jQuery 1.4.2)
I'm very sorry, as I understood later, the question is not complete, because there was another pitfall I didn't mention, so no one couldn't answer the question in principle. The reason of the bug was hiding in the... <body onunload="..."> tag definition. That was quite unexpected, but that code contained some AJAX request that must be invoked when a user leaves the page. I only realized that the authenicating module (FORM, j_security_check) returned a response (HTTP 302) containing the Location header - so that was the reason why browsers did redirects.
The exact scenario was like that:
Open the page containing <body onunload="some_ajax_here">.
Log out the app using another tab so you could stay at the same page.
Refresh the page so some ajax could be invoked - this AJAX request is not now allowed because it's a secured part of the application (you get the forwarded content of the login page).
Enter the credentials and now oops you get to the result of some ajax directly in the browser window.
As the quick fix, and I hope the final one, I added another request following that AJAX request:
$.ajax({
async: true,
method: "GET",
url: document.location.pathname + document.location.search
});
So the HTML page script simply makes self-page request the last one - j_security_check returns the Location referring the last used HTML page, and the redirect works fine. Perhaps my explanation is not clear and may be not complete or even full of mistakes, but it looks like that in general. I'm very sorry once again, and thank you #ChristopherSchultz!
I am experiencing random occurrences of caching of Ajax requests created through Jquery's get.
The Jquery gets are done in the most straight forward conventional way (route + params + callback)
I am already using
$.ajaxSetup({cache:false});
But it doesn't seem to always work. I get how ajaxSetup no cache works, and I see the added random parameter being added to my request url.
My current browser is IE 8.0
Does anyone know of another solution besides the ajaxSetup way...
The browser itself is simply not allowed/able to cache requests with distinct parameters, as added by {cache:false}.
It sounds like the caching is happening somewhere else in your chain, possibly in your web server/app.
Use firebug's net tab to check exactly what is being requested by the browser, and what the URLs are exactly, then take it from there.
It turns out I was wrong about my assumption about caching of ajax requests.
The real issue was caching of subsequent redirect to action requests that took place on the server (in response to the original ajax call).
The solution ended up being the following attribute.
[OutputCache(Location = OutputCacheLocation.None)]
It can be either applied at the controller level or the action level.
I want to post some ad to CraigList webiste using this URL. https://post.craigslist.org/nyc/S/fud/mnh/all I know AJAX is a solution which can perform where there is no same origin policy restriction.
The unique thing about this URL is that it modifies the action attribute of the form every time you refresh the page and I can't just post to a single static URL. I wonder is there a way I can automate this URL using AJAX?
I am using JQuery and know how to post a URL but this is headache.
You won't be able to use AJAX as it violates the same origin policy. You can use a regular POST, but you will have to parse the page for the hidden fields etc. to make it work.
Craigslist has gone into a lot of problem to make automated posting very difficult, so I wouldn't bother.
I have a PHP MVC Web App and Apache mod_rewrite rules already working fine, but when I create forms using method="get", the submitted URL looks like
contact/submit?a=b&c=d
I would like my form to submit to
contact/submit/a/b/c/d
Both posting and getting the form work fine on the server side, but when using post method, the back button always asks for reposting the form values and furthermore I want the strings in the URL for SEO. I think JQuery might let me intercept the form submit event and refresh to the url dynamically, but it it seems there must be an easier way to do it that I am missing.
You could use the POST->REDIRECT->GET pattern that Spring Web Flow utilizes. This would allow you to post as you wish and then redirect to contact/submit/a/b/c/d. It would also solve the problem with the back button asking you if you want to resubmit your form data. See this related article.
The GET method uses standard query string arguments to pass form data via an HTTP GET request.
The HTTP GET request is not intended to modify any data on the server. POST is designed for modifying data on the server.
GET may be cached. POST will not.
/a/b/c/d is not a standard format (as in RFC) for passing data. However, for requesting data or URLs to post to, that has become popular.
So, if you are updating server data, just use a POST -> REDIRECT -> /a/b/c/d.
If you are just reading data from the server, then you will need to use a bit of Javascript to read your form values and construct a query string, and then go to it with window.location = ...
Have fun!