spring security - Redirect to Previous url after TIMEOUT

Question

I am using Spring 3.1 version.

I have implemented spring security for login to my web portal. It works fine except for one issue. I have set session timeout to 2 min.

Once timeout happens and then user click any URL, It gets redirected to logout page. But when user re authenticates, user directly lands on the home page which is default target URL instead of last access page.

Like if user is accessed /home/editproduct then after timeout & when he again reautenticate he should be accessed to the home/editproduct instead of only /home page.

i am using spring with JSON & AJAX call.

<bean id="myNePublicUserNamePasswordAuthFilter"
class="com.ne.mynelson.authentication.publicuser.MyNePublicUserPasswordAuthFilter">
    <property name="filterProcessesUrl" value="/service/json_authentication_check"></property>
    <property name="authenticationManager" ref="myNePublicUserAuthenticationManager" />
    <property name="authenticationFailureHandler" ref="failureHandler" />
    <property name="authenticationSuccessHandler" ref="successHandler" />
    <property name="authenticationInputProcessor" ref="myNePublicUserAuthInputProcessor"></property>
</bean>
<bean id="successHandler"
class="com.ne.mynelson.authentication.publicuser.MyNePublicUserAuthSuccessHandler">
    <property name="authHandlerView" ref="authHandlerView"></property>
    <property name="sessionRegistry" ref="sessionRegistry"></property>
    <property name="publicLoginManager" ref="publicLoginManager"></property>
</bean>

Answer 1

EDIT: For SessionManagementFilter

You need to implement the InvalidSessionStrategy, override the onInvalidSessionDetected method, just like SimpleRedirectInvalidSessionStrategy, but before redirect, you need to create a new session, and save the request to session.

HttpSession session = request.getsession(false);
if (session != null) {
    // for creating a new session
    session.invalidate();
}
DefaultSavedRequest savedRequest = new DefaultSavedRequest(request,
                    new PortResolverImpl());
request.getSession(true).setAttribute("SPRING_SECURITY_SAVED_REQUEST", savedRequest);
redirectStrategy.sendRedirect(request, response, destinationUrl);

and then inject this bean to SessionManagementFilter.

EDIT: For ConcurrentSessionFilter

If you use the concurrentSessionFilter, you can implement SessionInformationExpiredStrategy, just like SimpleRedirectSessionInformationExpiredStrategy, and in the method onExpiredSessionDetected, still do the same thing like I post above, before redirect, create new session, and put the save request to new session, you can get the requestby event.getRequest(), then inject this sessionInfomationExpiredStrategy to concurrentSessionFilter.

public void onExpiredSessionDetected(SessionInformationExpiredEvent event) throws IOException {
    logger.debug("Redirecting to '" + destinationUrl + "'");
    DefaultSavedRequest savedRequest = new DefaultSavedRequest(event.getRequest(),
                        new PortResolverImpl());
    request.getSession(true).setAttribute("SPRING_SECURITY_SAVED_REQUEST", savedRequest);
    redirectStrategy.sendRedirect(event.getRequest(), event.getResponse(), destinationUrl);
}

Finally , Using SavedRequestAwareAuthenticationSuccessHandler instead of SimpleUrlAuthenticationSuccessHandler. It will try to get the request target url and then redirect to the saved URL.