So I have reviewed the answers related to ViewExpiredException and handling this with Ajax requests and I have that handled nicely now. However I have a configuration that doesn't properly get the ViewExpiredException.
The application has a SecurityFilter which monitors each request and determines if the url is needs authenticated user and then checks to see if user is authenticated(look in session for user object).
The problem is the filter processes the request which is before JSF actually determines a ViewExpiredException so we forward them to the login page since they are not authenticated. This occurs because the session has expired and the user object is not in the session anymore.
If I remove the security filter then we do get the ViewExpiredException.
My question is should I be using a different technique to validate authorization? One that allows JSF to process the request and then checks for authorization?
I also thought maybe only check authorization when its a get instead of a post which then I do get the ViewExpiredException however that leaves a gapping hole in authorization if someone uses a POST directly.
The biggest issue is I can't determine in the filter if the session has timed out or the user typed in a URL they are not authorized for. The result is the same regardless as they are redirected to the Login page but then the error message can't be determined.
Note: We are using MyFaces,JSF 2.2 and PrimeFaces
Any suggestions are greatly appreciated!
