Skip to Main Content
Forums

Java EE (Java Enterprise Edition) General Discussion

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

[ISSUE & HOWTO] JSF Login: handling back button and previous requested url

843844Apr 27 2010 — edited Apr 29 2010
Hello JSF Community, i have a few questions to put.
I'm new to JSF and i have a project to make. I already searched the entire web (for 3 long days) before i came here.

I saw some tutorials on how to implement a login system (a very useful one was from Mr BalusC). I implemented the filters and beans to make the login and everything works fine. If i try to access a page without sessionBean != null it sends me to welcome.jsp.

Problem 1:
However, the problem starts when i do the login. In pageflow if login is successful it sends me to home.jsp. But if i go back (using backspace or browser's back button) it shows me the login-form again (and consequently user is able to duplicate the session).
What i want is to disable the form if user is logged in or expire the session. I searched the entire web and tried everything (no caching, etc) but the browser's history is different from not caching system.
There are million of login systems that handle this issue but i dont know how do they do it. I mean, what is the correct way to handle this. I made a if condition in jsp page to render the form only if user isnt logged but when i go back it stands still until i reload it and it disappears (perfect, but not enough).

Some platforms when backing in navigation expires the session, others expire pages and others maintain the user in home page. Could i get some help from you guys?
I also tried addHeader() to send no cache of page inside login form.

Problem 2:
Like most of the websites if i pass a link to a friend and he clicks it he goes to login page, login and the is redirected to that previous link. How can i do that?

Where can i find a good tutorial about web.xml attributes? like the dispatchers (INCLUDE, REQUEST, ...) parameters that i would like to know what they do.

Here is my login and logout function in SessionBean.java: 
	public String login(){
		CommonSecurity ca = new CommonSecurity();
		LoginAgent la = new LoginSecurity();
		if(password != null && username != null && !la.isInformationEqual(username, password)){
			assertUsername();
			if(!ca.isEmail(username))
				return "failed";
			Login login = new LoginAction();
			if(login.loginUser(this)){
				expirationDate = new Date();
				FacesContext fc = FacesContext.getCurrentInstance(); 
				
			    HttpSession session = (HttpSession)fc.getExternalContext().getSession(false);
			    
			    password = null;
			    isLogged = true;
			    session.setAttribute("logged", this);
				return "logged";
			}
			return "failed";
		}
		return "failed";
	}

	public String logout(){
		FacesContext fc = FacesContext.getCurrentInstance(); 
		HttpSession session = (HttpSession)fc.getExternalContext().getSession(false);
		session.removeAttribute("logged");
		session.removeAttribute("alreadyLogged");
		//expira a sessão
		session.invalidate();
		return "logout";
	}
The sessionFilter: 
	public void doFilter(ServletRequest arg0, ServletResponse arg1,
			FilterChain arg2) throws IOException, ServletException {
		if(filterConfig == null)
			return;
		
		HttpServletRequest request = (HttpServletRequest) arg0;
		HttpServletResponse response = (HttpServletResponse) arg1;
		
		HttpSession session = request.getSession();
		SessionBean isLogged = (SessionBean) session.getAttribute("logged");
		
		if(isLogged == null){
			response.sendRedirect("welcome.jsf");
		}else{
			if(request.getRequestURI().indexOf("welcome.jsf") != -1){
				response.sendRedirect("home.jsf");
			}else{
				String url = (String) session.getAttribute("previousRequestedURL");
				if(url != null){
					response.sendRedirect(url);
				}
			}
		}
		
		arg2.doFilter(arg0, arg1);
	}
the form and login page: 
<f:subview id="login_view_id">
		<% if(session.getAttribute("alreadyLogged") == null){ %>
			<h:form id="login_form_id">
				<h:panelGrid title="Login" columns="3">
					<h:outputLabel value="Username"></h:outputLabel>
					<h:inputText value="#{sessionBean.username}" required="true" id="input_usrname_id"></h:inputText>
						<h:message for="input_usrname_id"></h:message>
					<h:outputLabel value="Password"></h:outputLabel>
					<h:inputSecret value="#{sessionBean.password}" required="true" id="input_password_id">
						<f:converter converterId="passwordConverter"/>
					</h:inputSecret>
						<h:message for="input_password_id"></h:message>
				</h:panelGrid>
				<h:commandButton value="Login" id="login_button_id" styleClass="button_class" action="#{sessionBean.login}"></h:commandButton>
			</h:form>
			<%} %>
</f:subview>
My save state is on server because i read that it was more secure because we don't pass too much information to the client.
Could i get some help?

Regards, Tiago.

Edited by: t.pateiro on Apr 27, 2010 9:20 AM
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on May 27 2010
Added on Apr 27 2010
#javaserver-faces
3 comments
1,129 views