0

I have a jsf web application which maintains the user session via a @SessionScoped Bean. And then I have a rest service to call a logout method which is used to invalidate the user's session.

However, when I call the rest service, the request.getSession() does not have the attributes set by the @SessionScoped bean. Also invalidating the session does not worked either.

When the @SessionScoped bean is called again, it's own session with the attributes are still available.

Do rest services create a separate session other than the faces session? If so how can I invalidate the session via a rest service (it has to be via a rest service not a managed bean or any faces cdi bean)

@Path("logout")
@RequestScoped
public class LogoutEndpoint {

    @POST
    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    public boolean op(  @Context final HttpServletRequest request) {
        HttpSession httpSession = (HttpSession)request.getSession();
        httpSession.invalidate();
    }
}
Kukeltje
  • 12,223
  • 4
  • 24
  • 47
Cadrian Brown
  • 23
  • 5
  • JSF does not have a separate session. It is the session from the container. Check if the session id is the same. If it is not, you have the cause of the problem... – Kukeltje May 01 '18 at 12:41
  • Yes by jsf session i meant, HttpServletRequest session. Their ids are different in the @SessionScoped bean and in the rest service. How can that be? – Cadrian Brown May 01 '18 at 12:43
  • Possible causes: They don't share the same web application or the rest client does not send the session cookie correctly or... all not jsf related. – Kukeltje May 01 '18 at 12:45
  • The rest service and the bean are in the same web application. Rest client is in a different application different domain. Is the client responsible for sending the session cookie? For now it simply calls the logout service via the post method – Cadrian Brown May 01 '18 at 12:52
  • Uhhhh.... yes, what did you otherwise expect... Keeping track of a session is done via a cookie or a param in the url. https://stackoverflow.com/questions/12238969/how-do-application-servers-keep-track-of-httpsession-objects-and-clients Both are the responsibility of the client to pass on correctly. Strange that you (or one of your co-workers) do not know this but there IS a requirement to do the logout from rest... – Kukeltje May 01 '18 at 12:55

0 Answers0