Spring boot security does not redirect after session expires

Question

I have been using spring boot, with spring security and Ext Js as frontend. I added this piece of code as configuration for spring security. It means that, when the session expires the user will be redirected to the referenced url, right?

@Override
protected void configure(HttpSecurity http) throws Exception {
    http.cors().and()
            .authorizeRequests().antMatchers("/", "/login/**").permitAll().and()
            .authorizeRequests()
            .anyRequest().authenticated()
            .and()
            .formLogin()
            .loginPage("/login")
            .loginProcessingUrl("/userAuth")
            .permitAll()
            .and()
            .logout()
            .permitAll()
            .and()
            .authorizeRequests()
            .antMatchers(HttpMethod.POST, "/**").permitAll();

            http.csrf().disable();
            http.headers().frameOptions().disable();

            http.sessionManagement().maximumSessions(1).expiredUrl("/login?logout");
}

Everytime my frontend sends an ajax request to spring, and the user has lost session, spring turns the request into a get request to /login?logout, as to be expected, but the page does not get redirected. All I can see is the login page on the response content of the request, without any effect on the page the user is seeing.

Why does this happen? Am I missing any configuration or implementation here?

EDIT: Here is what my Ext Js for the AJAX request looks like:

onAuthCheck: function (users) {

    var result = Ext.Ajax.request({
        url: '/Queue/requests/loginCheck',
        method: 'POST',
        async: false,
        params: {
            usersInfo: Ext.encode(users)
        },
        success: function (conn, response, options, eOpts) {
            console.log(response)
            console.log(conn.status);
            if (conn.status === 401 || conn.status === 302) {
                location.href='/login?logout';
           }
        },
        failure: function (conn, response, options, eOpts) {
            console.log(response)
            console.log(conn.status)
            if (conn.status === 401 || conn.status === 302) {
                location.href='/login?logout';
           }
        }
    })
    return (Ext.JSON.decode(result.responseText, true).success);
},

EDIT2: Here is what my request looks like: It has a request with status 302, and still Im getting 200 status on my AJAX response on JS code.

This is correct behavior as you use AJAX. I Guess you are seeing the redirected page (loginpage) in the Ajax Response. — Sunchezz
You might be getting an invalid session instead of expired. Try .invalidSessionUrl() instead (or even as well) — Kieveli
@Kieveli I will try that, thank you. But I think it is the AJAX request thingy. — Gabriel Robaina
Possible duplicate of stackoverflow.com/questions/7524039/… — dur
Possible duplicate of stackoverflow.com/questions/24816478/… — dur

Sunchezz Sunchezz · Accepted Answer · 2019-05-15T14:35:22

Short and simple Answer:

Because you are submitting your request by AJAX, the Response is not "affecting" your current loaded page.

To be more precise:

Most Browser (all i know) only redirect (respect the location header), if an HTTP Redirect Code (301, 302, 303) is found in the response header. So technically, if spring would send an 302 http status code along with the authentication url, the browser would switch the location.

As far as i know, Spring sends a 302 IF it is a GET-Request

A simple Solution:

This is one way to go by Javascript and JQuery: Check the result of your ajax response. (This is just an example to give you a direction, there will be more solutions.

    $.ajax({
        type: 'POST',
        url: '/url',
        success: function (result, status) {
            if (result.status === 401) {
                 location.href='/login?logout';
            }
        }
    });

Spring boot security does not redirect after session expires

2 Answers

Short and simple Answer:

To be more precise:

A simple Solution: