JSF 2.3: Session expired vs ViewExpired problems

Question

I am using JSF 2.3 (Mojarra), with PrimeFaces 7 on WildFly 17 and have a problem with (I suppose) an expired http ession, which I was not able to answer using the links below:

keep getting javax.faces.application.ViewExpiredException: viewId with jsf 2

JSF 2.3 Form Based Login and ViewExpiredException

To test my assumption I have put the following entry in my web.xml:

 <session-config>
    <cookie-config>
        <http-only>true</http-only>
    </cookie-config>
    <session-timeout>1</session-timeout>
</session-config>

After deploying the application I opened two pages of it in different browsers: The first page requires login that I performed successfully and then opened the page. The second page requires a click on a link only (without login) and opens upon clicking this link. Both pages use ViewScoped beans.

I wait a little more than one minute, when, according to the configuration above, the session should have expired.

1.) On the first page: when I click on the button below:

     <p:commandButton icon="ui-icon-check" value="....." action="#{aveAngelBean.aveAngelegtOK}" update="@form" />

I only see that in the lower right corner a circle spins indicating that probably a JavaScript is executed, but nothing happens otherwise. I do not get any error in the console. When I click a second time on the button, nothing happens. Also, no code is executed on the server

2.) On the second page: when I click on the button below:

                 <p:commandButton  icon = "ui-icon-check" value="#{msg['immobilien.ave.go.forward']}" action="#{persDatenBean.weiterUnterlagen}" update="@form">
                       <f:param name="validateOnWeiter" value="true"/>
                 </p:commandButton>

the @init method of the backing bean gets executed - meaning probably an attempt from the server to restore the view. Then an error occurs, because the HTTP GET parameter, found in the URL of the link, which I initially invoked to get to this page:

?linkId=c91cc387-45f4-4c22-8829-4e3fd266c311_abd45a61-0e4e-4e7b-aa48-e9d858a5dbb9

is not being found.

My questions are:

1.) About the first page: How can I show the login-page instead of showing nothing? 2.) About the second page: How can I reload the page, when clicking the button, WITH the HTTP GET parameter that I used to initially invoke the page? Why is this parameter

?linkId=c91cc387-45f4-4c22-8829-4e3fd266c311_abd45a61-0e4e-4e7b-aa48-e9d858a5dbb9

somehow not considered at the time of pressing the button?

Below my web.xml:

<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee 
                    http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
                    version="3.0">

    <context-param>
        <param-name>javax.faces.STATE_SAVING_METHOD</param-name>
        <param-value>server</param-value>
    </context-param>
    <context-param>
        <param-name>javax.faces.PROJECT_STAGE</param-name>
        <param-value>Development</param-value>
    </context-param>
    <context-param>
        <param-name>primefaces.THEME</param-name>
        <param-value>sapphire-#{guestPreferences.theme}</param-value>
    </context-param>
    <context-param>
        <param-name>primefaces.FONT_AWESOME</param-name>
        <param-value>true</param-value>
    </context-param>
    <context-param>
        <param-name>javax.faces.FACELETS_LIBRARIES</param-name>
        <param-value>/WEB-INF/primefaces-sapphire.taglib.xml</param-value>
    </context-param>
<!-- @see http://jsfcorner.blogspot.co.at/2014/01/client-side-validation-example-of.html  -->
    <context-param>
        <param-name>primefaces.CLIENT_SIDE_VALIDATION</param-name>
        <param-value>true</param-value>
    </context-param>

    <context-param>
        <param-name>primefaces.FONT_AWESOME</param-name>
        <param-value>true</param-value>
    </context-param>  
    
    <listener>
        <listener-class>com.sun.faces.config.ConfigureListener</listener-class>
    </listener>
    <filter>
        <filter-name>Character Encoding Filter</filter-name>
        <filter-class>org.primefaces.sapphire.filter.CharacterEncodingFilter</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Character Encoding Filter</filter-name>
        <servlet-name>Faces Servlet</servlet-name>
    </filter-mapping>
    
    <!-- JSF mapping -->
    <servlet>
        <servlet-name>Faces Servlet</servlet-name>
        <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>Job Repair Servlet</servlet-name>
        <servlet-class>at.home.digest.web.ave.JobRepairServlet</servlet-class>
        <load-on-startup>0</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>InitServlet Servlet</servlet-name>
        <servlet-class>at.home.digest.web.ave.InitServlet</servlet-class>
        <load-on-startup>1</load-on-startup>
    </servlet>
    <servlet>
        <servlet-name>Download Servlet</servlet-name>
        <servlet-class>at.home.digest.web.DownloadServlet</servlet-class>
        <load-on-startup>0</load-on-startup>
    </servlet>
    
    <!-- Map these files with JSF -->
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.jsf</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.faces</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*/faces/*</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Faces Servlet</servlet-name>
        <url-pattern>*.xhtml</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Job Repair Servlet</servlet-name>
        <url-pattern>/ave/makler/admin/jobRep</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Download Servlet</servlet-name>
        <url-pattern>/heimdi/ave/download</url-pattern>
    </servlet-mapping>
    <servlet-mapping>
        <servlet-name>Download Servlet</servlet-name>
        <url-pattern>/ave/download</url-pattern>
    </servlet-mapping>
    
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>All resources in /ave/makler/*</web-resource-name>
            <description>All resources in /ave/makler/*</description>
            <url-pattern>/ave/makler/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>makler</role-name>
            <role-name>maklerChef</role-name>
        </auth-constraint>
    </security-constraint>

    <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>jBossJaasHeimdiRealm</realm-name>
        <form-login-config>
            <form-login-page>/login/login.jsf</form-login-page>
            <form-error-page>/login/loginFailed.jsf</form-error-page>
        </form-login-config>
    </login-config>

    <security-role>
        <role-name>makler</role-name>
    </security-role>
    
    <security-role>
        <role-name>maklerChef</role-name>
    </security-role>
    
    <security-role>
        <role-name>kaufer</role-name>
    </security-role>
    
     <session-config>
        <cookie-config>
            <http-only>true</http-only>  <!-- https://owasp.org/www-community/HttpOnly , @see also:  https://www.cookiepro.com/knowledge/httponly-cookie/  -->
            <!-- <secure>true</secure>   --> <!-- https://owasp.org/www-community/controls/SecureCookieAttribute  -->
        </cookie-config>
        <session-timeout>1</session-timeout>
    </session-config>
    
    <error-page>
      <exception-type>javax.servlet.ServletException</exception-type>
      <location>/error.faces</location>
   </error-page>
   <error-page>
      <exception-type>javax.faces.FacesException</exception-type>
      <location>/error.faces</location>
   </error-page>
   <error-page>
       <exception-type>java.lang.Exception</exception-type>
       <location>/error.faces</location>
   </error-page>
   <!-- 
   <error-page>
        <exception-type>javax.faces.application.ViewExpiredException</exception-type>
        <location>/error.faces</location>
   </error-page>
    -->
 </web-app>

Thank you

Lots here but as for your Session Expiration 1 minute most servres that doesn't exactly mean one minute. For example Jboss puts it in a queue and checks every so often for expired sessions but its not exactly the second your session expires. Sometimes its a minute or two later before the server finds and prunes that session. So its more of a suggestion than an EXACT time. — Melloware, Aug 21 '22 at 17:23
@Melloware thanks for your comment. I edited my question and added the runtime environment WildFly 17. If I increase the to 30, then everything works fine - no problems with both views. So, it must be a session expired problem. Or? — Alex Mi, Aug 22 '22 at 04:42
Its possible...just debug with a SessionListener I provided below. — Melloware, Aug 22 '22 at 11:39

score 1 · Answer 1 · answered Aug 22 '22 at 11:39

1

Just debug your Session issues with this SessionDebugListener...

import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;

import lombok.extern.slf4j.Slf4j;

/**
 * HttpSessionListener to monitor the creation and destruction of JSESSIONs.
 */
@Slf4j
public class SessionDebugListener implements HttpSessionListener {

   @Override
   public void sessionCreated(final HttpSessionEvent se) {
      LOG.info("Session Created {}", se.getSession().getId());
   }

   @Override
   public void sessionDestroyed(final HttpSessionEvent se) {
      LOG.info("Session Destroyed {}", se.getSession().getId());
   }

}

web.xml

<web-app ...>
    <listener>
        <listener-class>com.your.SessionDebugListener </listener-class>
    </listener>
</web-app>

Here is a more advanced example: https://www.baeldung.com/httpsessionlistener_with_metrics

answered Aug 22 '22 at 11:39

Melloware

10,435
2
32
62

Thanks a lot once again! I debugged my code as suggested by you and found out that the Session is actually destroyed before me pressing the buttons on both pages. But why this behavior in both cases though? Unommenting my last entry on the web.xml from above javax.faces.application.ViewExpiredException /error.faces seemed to not have changed anything, i.e. the ViewExpiredException is not triggered, although the HttpSession was destroyed, so I am NOT redirected to the error page. Why? – Alex Mi Aug 23 '22 at 02:37
Also, in another try, although my session should have already been expired, I currently receive a . Why? – Alex Mi May 19 '23 at 12:22
1

I guess it all depends on which container your are using and did it truly expire your session? Like I said I have seen Jboss not prune sessions until 1 or 2 minutes AFTER their expiration time. – Melloware May 20 '23 at 13:04
Yep, I have checked. The session is being destroyed, see 04:57:25,486 WARN [at.home.digest.utils.SessionDebugListener] (default task-52) Http Session 0tE62LS5WNrkC67M1WZdYr5Ipzx0TNsXRcGIGCqO destroyed But then, when I click on the page, simply nothing happens. I see in the logs though, that new session is being created: 05:09:12,571 WARN [at.home.digest.utils.SessionDebugListener] (default task-52) Http Session gmAJFIPyrI--Pfar9EoqwUMZJ2ZiCpPwppVOSdgB created – Alex Mi May 29 '23 at 03:11

JSF 2.3: Session expired vs ViewExpired problems

1 Answers1