Authorization redirect on session expiration does not work on submitting a JSF form, page stays the same

by

Your concrete problem is most likely caused because your JSF command link/button is actually sending an ajax request which in turn expects a special XML response. If you’re sending a redirect as response to an ajax request, then it would just re-send the ajax request to that URL. This in turn fails without feedback because the redirect URL returns a whole HTML page instead of a special XML response. You should actually be returning a special XML response wherein the JSF ajax engine is been instructed to change the current window.location.

But you’ve actually bigger problems: using the wrong tool for the job. You should use a servlet filter for the job, not a homegrown servlet and for sure not one which supplants the FacesServlet who is the responsible for all the JSF works.

Assuming that you’re performing the login in a request/view scoped JSF backing bean as follows (if you’re using container managed authentication, see also 2nd example of Performing user authentication in Java EE / JSF using j_security_check):

externalContext.getSessionMap().put("user", user);

Then this kickoff example of a filter should do:

@WebFilter("/*") // Or @WebFilter(servletNames={"facesServlet"})
public class AuthorizationFilter implements Filter {

    private static final String AJAX_REDIRECT_XML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
        + "<partial-response><redirect url=\"%s\"></redirect></partial-response>";

    @Override
    public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws ServletException, IOException {    
        HttpServletRequest request = (HttpServletRequest) req;
        HttpServletResponse response = (HttpServletResponse) res;
        HttpSession session = request.getSession(false);
        String loginURL = request.getContextPath() + "/login.xhtml";

        boolean loggedIn = (session != null) && (session.getAttribute("user") != null);
        boolean loginRequest = request.getRequestURI().equals(loginURL);
        boolean resourceRequest = request.getRequestURI().startsWith(request.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER + "https://stackoverflow.com/");
        boolean ajaxRequest = "partial/ajax".equals(request.getHeader("Faces-Request"));

        if (loggedIn || loginRequest || resourceRequest)) {
            if (!resourceRequest) { // Prevent browser from caching restricted resources. See also https://stackoverflow.com/q/4194207/157882
                response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
                response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
                response.setDateHeader("Expires", 0); // Proxies.
            }

            chain.doFilter(request, response); // So, just continue request.
        }
        else if (ajaxRequest) {
            response.setContentType("text/xml");
            response.setCharacterEncoding("UTF-8");
            response.getWriter().printf(AJAX_REDIRECT_XML, loginURL); // So, return special XML response instructing JSF ajax to send a redirect.
        }
        else {
            response.sendRedirect(loginURL); // So, just perform standard synchronous redirect.
        }
    }

    // ...
}

See also:

More Related Contents:

  1. Migrating from JSF 1.2 to JSF 2.0
  2. Recommended JSF 2.0 CRUD frameworks [closed]
  3. Can I update a JSF component from a JSF backing bean method?
  4. JSF convertDateTime renders the previous day
  5. i18n with UTF-8 encoded properties files in JSF 2.0 application
  6. Execute managebean method from javascript onload event
  7. Get current page programmatically
  8. JSF 2.0 set locale throughout session from browser and programmatically [duplicate]
  9. JSF 2: How show different ajax status in same input?
  10. Generic JSF entity converter [duplicate]
  11. Prevent suffix from being added to resources when page loads
  12. Using JSF 2.0 / Facelets, is there a way to attach a global listener to all AJAX calls?
  13. how to share a jsf error page between multiple wars
  14. @EJB in @ViewScoped managed bean causes java.io.NotSerializableException
  15. Recursion in JSF (c:forEach vs. ui:repeat)
  16. How implement a login filter in JSF?
  17. Alternative to ui:fragment in JSF
  18. By default, JSF generates unusable IDs, which are incompatible with the CSS part of web standards
  19. How to implement a possibility for user to post some html-formatted data in a safe way?
  20. JSF backing bean structure (best practices)
  21. JSF backing bean should be serializable?
  22. Field.get(obj) returns all nulls on injected CDI managed beans, while manually invoking getters return correct values
  23. Invoke method just before session expires
  24. Adding faces message to redirected page using ExternalContext.redirect()
  25. How to send byte[] as pdf to browser in java web application?
  26. How to call a RESTful web service from Android?
  27. When to move from Container managed security to alternatives like Apache Shiro, Spring Security?
  28. JSF 2 – Bean Validation: validation failed -> empty values are replaced with last valid values from managed bean
  29. JSF tags not rendered [duplicate]
  30. is meta http-equiv value cache control is not supported?

Leave a Comment