[CCAP-1591] Making session expirations return a 403 for XHR requests (#1005)

Author: cram-cfa

src/main/java/formflow/library/config/SessionExpiredCSRFAccessDeniedHandler.java

@@ -47,12 +47,22 @@ public void handle(HttpServletRequest request,
         if (likelyExpired) {
             log.info("CSRF denied with missing session. Treating as expired session. URI: {}", request.getRequestURI());
 
-            // Use param to denote expired session on home screen
-            response.sendRedirect(request.getContextPath() + "/?sessionExpired=true");
+            if (isAjaxRequest(request)) {
+                // XHR callers cannot follow redirects, so return an error they can handle.
+                response.setHeader("X-Session-Expired", "true");
+                response.sendError(HttpServletResponse.SC_FORBIDDEN, "Session expired");
+            } else {
+                // Use param to denote expired session on home screen
+                response.sendRedirect(request.getContextPath() + "/?sessionExpired=true");
+            }
             return;
         }
 
         // Preserve Spring Security default behavior in a real CSRF mismatch
         defaultHandler.handle(request, response, ex);
     }
+
+    private boolean isAjaxRequest(HttpServletRequest request) {
+        return "XMLHttpRequest".equals(request.getHeader("X-Requested-With"));
+    }
 }

src/main/java/formflow/library/exceptions/SessionExpiredException.java

@@ -1,7 +1,11 @@
 package formflow.library.exceptions;
 
-public class SessionExpiredException extends RuntimeException {
+import org.springframework.http.HttpStatus;
+import org.springframework.web.server.ResponseStatusException;
+
+public class SessionExpiredException extends ResponseStatusException {
+
     public SessionExpiredException(String message) {
-        super(message);
+        super(HttpStatus.NOT_FOUND, message);
     }
 }