Ajax和表单认证

I am trying to implement form authentication in my ajax application. The problem I have is that when the session expires I get 302 code which redirects me to a login page I specified in web.xml (and it messes everything up refreshing the whole app to login page).

What I want to do is to get a "not authenticated" (401) code, then display the login form in a popup window and when the login is successful continue with what I was doing.

here is a picture of what is going on: http://docs.oracle.com/javaee/1.4/tutorial/doc/images/security-formBasedLogin.gif

and the docs http://docs.oracle.com/javaee/1.4/tutorial/doc/Security5.html

basically, I want to display the popup instead of redirect to login page and then don't do the redirect to the resource but do my update in AJAX way. From what I understand it couldn't be done only on the client side since the redirect can't be avoided (see here: redirect info), I would need to write some kind of logic on the server to prevent redirect, see here for detail about doing it in IIS: IIS implementation

P.S. So far this: http://www.oracle.com/technetwork/articles/entarch/session-lifecycle-096133.html looks like the most promising way to implement it. The class is deprecated, but I can't find the new one and think it's the only way to do it for Weblogic.

This is not an easy way but still it works

You have a form in your page which is filled by the user.

User clicks submit button.

An ajax request is sent to the server.

The server side implementation can check whether session exists or not. and accordingly you can send a response code 401..(response.setStatus());

This 401 can be checked in client side using ajax --- xhr.status

If response is 401 you can show the login form and hide the current form. using js and css.

User fills in the login details and clicks submit..

You can do the same server side check and client side check for the status of that login request.

if login is successful then you can you can submit the first form using ajax or js..

You could use a heartbeat checking with an ajax request to your server to any resource that needs to be authenticated to get it.. if you cannot receive this resource so means that youre not logged in.. so you could send another authentication request an go on with your rendering..

see this article.. http://ajaxpatterns.org/archive/Heartbeat.php

so your checking routine of authentication would be implemented..

You need to push to page and not poll. So you need Strophe and your session handler connected. When session expires signal is sent to Strophe instance that is running in your web app and after that it is easy to do popup or whatever. For all real time stuff I am using Strophe!

This is book on this metter and this is link for Strophe, also this is link of php xmpp class.

It will take you couple of days to figure out this but it is couple of days well spent! If you read carefully book and go to examples, with just basic javascript/jquery understanding you will be able to develop powerful web apps.

I know you're trying to do FORM authentication with you ajax application but is it really needed?

BASIC authentication works simpler and transparently for ajax requests as it is handled by the browser, not by your app. But I admit/understand that a popup is ugly.