I am using GWT with Spring security to manage user log in.
Why do I get a popup window with the HTML contents of my login page as text instead of being directed to my properly formatted login page when the session expires and I try to do something in my app???
I have based my implementation on this post.
My configuration looks like this:
<security:http>
<security:intercept-url pattern="/login.jsp" filters="none" />
<security:intercept-url pattern="/styles/images/**" filters="none" />
<security:intercept-url pattern="/styles/*/images/**" filters="none" />
<security:intercept-url pattern="/styles/*/*.css" filters="none" />
<security:intercept-url pattern="/styles/*.css" filters="none" />
<security:intercept-url pattern="/**"
access="ROLE_USER" />
<security:form-login
login-page="/login.jsp"
default-target-url='/my-app.html' always-use-default-target="true" />
<security:logout logout-success-url="/login.jsp" />
<security:form-login authentication-failure-url="/login.jsp" default-target-url="/login.jsp"/>
</security:http>
Any help would be appreciated.
I would like to answer my own question in the hope it may be useful to other people.
The whole problem was due to the way I was handling InvocationException, which is thrown when the user attempts to perform an action which is blocked by Spring security (due to session time-out for example).
I was showing a popup by using Window.alert(“Explanation to the user, details” + e.getMessage()), where message is the message received from the Exception coming from the server. This works fine if the server actually sent an exception, but in the case where Spring attempts to re-direct the user to the login page, it seems that what is shown is the JSP page itself!!! I created my own popup (using a GWT’s DialogBox) and the problem is now solved.
Lesson learned: do not use Window.alert() for anything other than debugging!