Dowemo
0 0 0 0


Question:

I have three JSF 2.0 web modules and I need to redirect to the login page when the session expires.

I have tried it using a HttpSessionListener, it is calling the sessionDestroyed() event method, but I am not able to forward/redirect the request in there. I think it is becasue there are no HttpServletRequest and HttpServletResponse objects.

I also tried it using a PhaseListener, but it results in a "too many redirects" error in the webbrowser.

public class SessionListener implements PhaseListener {
    public PhaseId getPhaseId() {
        return PhaseId.RESTORE_VIEW;
    }
    public void beforePhase(PhaseEvent event) {
        if (!FacesContext.getCurrentInstance().isPostback()) {
            try {
                System.out.println("Session Destroyed");
                FacesContext.getCurrentInstance().getExternalContext().redirect("login.jsf");
            }
            catch (Exception e) {
                System.out.println("error" + e);
            }
        }
    }
    public void afterPhase(PhaseEvent event)  {
        try {
            System.out.println("Session Created");
        }
        catch (Exception e) {
            System.out.println("error" + e);
        }
    }
}

Why do those attempts not work and how can I solve it the best?


Best Answer:


It's not possible to send a redirect at exactly the moment when the session is expired. The client has namely not sent any HTTP request at that moment which you could then respond with a redirect.

You should just keep your existing authentication mechanism which redirects to the login page when the user is not logged-in anymore. You can at best improve it by adding a check if the user is been redirected to the login page because the session has been expired, or just because he has never logged in before (i.e. it's a fresh new request).

You can check for that by if HttpServletRequest#getRequestedSessionId() doesn't return null (which means that the client has sent a session cookie and thus assumes that the session is still valid) and HttpServletRequest#isRequestedSessionIdValid() returns false (which means that the session has been expired at the server side). You can do that in the very same filter where you're checking for the logged-in user (you do already have one, right? or are you using container managed authentication?).

User user = (User) session.getAttribute("user");
if (user == null) {
    String loginURL = request.getContextPath() + "/login.jsf";
    if (request.getRequestedSessionId() != null && !request.isRequestedSessionIdValid()) {
        response.sendRedirect(loginURL + "?expired=true");
    } else {
        response.sendRedirect(loginURL);
    }
} else {
    chain.doFilter(request, response);
}

And then in the login.xhtml page check for it

<h:panelGroup rendered="#{param.expired}">
    <p>You have been redirected to the login page, because your session was expired.</p>
</h:panelGroup>

Your phase listener approach makes by the way no sense. It indeed sends a redirect on every single request causing it to run in an infinite loop. The restore view phase has absolutely nothing to do with the session expiration.




Copyright © 2011 Dowemo All rights reserved.    Creative Commons   AboutUs