7

After my AuthenticationFilter redirect to login page, I would like to logout to user.

That's why, I put identity.logout(); in my pre-render method checkPermission(...) of login.xhtml.

But, I get the ViewExpiredException when the user login again.

My problem is

1 : If I don't do identity.logout();, the user relogin again because of the old user session still exist. 2 : If I do identity.logout();, I get the ViewExpiredException when the user login again.

AuthenticationFilter.java

public class AuthenticationFilter implements Filter  {
    .....

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpResponse = (HttpServletResponse) servletResponse;
        HttpSession session = httpRequest.getSession();
        User user = (User) session.getAttribute(Constants.LOGIN_USER);
        if (user == null) {
            session.setAttribute(Constants.MESSAGE_ID, MessageId.REQUIRED_TO_LOGIN);
            String loginView = httpRequest.getContextPath() + Constants.LOGIN_PAGE;
            httpResponse.sendRedirect(loginView);
        } else if (!user.getRole().equals(Role.SYSTEM_ADMINISTRATOR)) {
            System.out.println("User Role : " + user.getRole());
            session.setAttribute(Constants.MESSAGE_ID, MessageId.REQUIRED_TO_ADMIN_ROLE);
            String loginView = httpRequest.getContextPath() + Constants.LOGIN_PAGE;
            httpResponse.sendRedirect(loginView);
        } else {
            filterChain.doFilter(servletRequest, servletResponse);
        }
        servletContext.log("Exiting the filter");
    }

    public void destroy() {
    }
}

login.xhtml

....
<f:event listener="#{LoginBean.checkPermission}" type="preRenderView" />
....

LoginBean.java

@Scope(ScopeType.EVENT)
@Name("LoginBean")
public class LoginBean extends BaseBean {
    ....

    public boolean authenticate() {
        ....
    }

    public void checkPermission(ComponentSystemEvent event) {
        FacesContext context = getFacesContext();
        ExternalContext  extContext = context.getExternalContext();
        String messageId = (String) extContext.getSessionMap().remove(Constants.MESSAGE_ID);
        if(messageId != null) {
            identity.logout();
            addMessage(null, FacesMessage.SEVERITY_ERROR, messageId);   
        }
    }
}
Zaw Than oo
  • 9,651
  • 13
  • 83
  • 131
  • I don't do Seam, so I have no idea what it is doing under the covers, but based on the symptoms, a theoretical solution would be to send another redirect directly after `identity.logout()` by `extContext.redirect(loginView);` which would force the browser to request the page using a new session instead of an expired session (and make sure that your browser doesn't cache the page). You can persist the message in the flash scope by `extContext.getFlash().setKeepMessages(true)`. Do this all in the `if` block. – BalusC Dec 24 '12 at 03:09
  • @BalusC Can I redirect the `login view` in `prerenderview` method? – Zaw Than oo Dec 24 '12 at 03:16
  • Yes, you can (why not try before ask?). Your concrete problem is caused by ending up with a view which was requested in a session which is expired by end of request. So you need to tell the browser to send a new request on the new session, so that the client ends up with a view in a valid session. – BalusC Dec 24 '12 at 04:07

1 Answers1

5

Don't use identity.logout(); in prerenderview method. In AuthenticationFilter, do as below before you pass the messageID if you would like to destory current session and create new session.

if(...) {
    session.invalidate();
    session = httpRequest.getSession(true); 
    ....
} else if(...){
    session.invalidate();
    session = httpRequest.getSession(true); 
    ....
}
Ye Wint
  • 849
  • 3
  • 13
  • 20
  • So, according to you, `identity.logout()` does apart from session expiration further nothing substantial? Do you have any authoritative references for this? – BalusC Dec 24 '12 at 04:08