0

I have a web app with spring boot that uses loginUrlAuthenticationEntryPoint and restful service next to it.The Application serves to a one web page that uses thymeleaf which authenticate using sessions and a mobile app that uses basic authentication.So there is a cart items screen (html table ) in a restaurant page , i want to make those items deleted by clicking on them asynchronously(from database).But that page's security (page url) is handled by login-url-auth-entry-point , not rest auth security config.
So when ı make a ajax call to delete cart item url it returns 302.My ajax call don't authenticate and tries to redirect me to login page. I tried many things.
I tried using xhrFields{withCredentials:true} in ajax call-didn't worked.
I tried using setting Authorization field with document.cookie - document.cookie returns empty.
There is the controller i am trying to send request:

    @ResponseBody
    @PreAuthorize("hasRole('RESTAURANT') OR hasRole('ADMIN')")
    @GetMapping("/flushitem/{id}")
    public ResponseEntity<String> freeCartItem(@PathVariable("id") Long id) {
        try {
            cartService.deleteCart(id);
        }catch(Exception e) {
            e.printStackTrace();
        }
        return new ResponseEntity<>(HttpStatus.OK);
    }

I also tried to delete @ResponseBody annotation and make a request with thymeleaf's th:href with a html link tags.It tries to redirect to somewhere even if my controller returns void.
So long story short, my question is , how should i make a ajax call in a web page which makes authentication by sessions ? Or can i make the functionality that i want without using ajax and rest controller function ?

Im not triying to make any cors related operation.(I guess)

Berk Altuğ
  • 47
  • 2
  • 12
  • I think problem is session getting expired, and redirecting to login page. – Vipul Nov 06 '19 at 14:36
  • Can you try to use JWT tokens instead of session. In the token based application, the server creates JWT with a secret and sends the JWT to the client. The client stores the JWT (usually in local storage) and includes JWT in the header with every request. The server would then validate the JWT with every request from the client and sends response. Reference: https://medium.com/@sherryhsu/session-vs-token-based-authentication-11a6c5ac45e4 – Vipul Nov 06 '19 at 14:39
  • It's imposible to expire !Im working on localhost , resetting the server every time and logining every time.Iknow how to use Jwt but projects web page section build on session system and changing it to jwt is a huge problem.I want to know if i am trying an imposible thing , something against to http protocols, or is there a workaround ? – Berk Altuğ Nov 06 '19 at 14:45
  • Did you see any error in server logs? – Vipul Nov 06 '19 at 14:57
  • Could you check this post: https://stackoverflow.com/questions/23901950/spring-security-ajax-session-timeout-issue – Vipul Nov 06 '19 at 15:05
  • I dont get any error in server logs.Those link you provided are making forbiding ajax calls to the form login securties by controlling their header.What i want to do is opposite but i couldn't figure it out. – Berk Altuğ Nov 06 '19 at 15:39
  • I still need answers guys.The only solution i found is making the endpoint unsecure.Which shouldn't be a solution obviously! – Berk Altuğ Nov 14 '19 at 12:49

0 Answers0