I have a web application that logs users in a @SessionScoped managed bean. It's all the basic stuff, pretty much like this: users logs in using regular http form and gets redirect to user area (wich is protected using a filter). But if any resource on that area is accessed, the request somehow uses a new session, wich has no managed bean, no user, and the filter does his job, redirecting him to login page.
Here's the login form:
<h:form>
<h:outputLabel for="email" value="Email "/>
<p:inputText id="email" size="30" value="#{loginManager.email}"/>
<h:outputLabel for="password" value="Password "/>
<p:password id="password" size="12" value="#{loginManager.password}"/>
<p:commandButton value="Login" action="#{loginManager.login()}"/>
</h:form>
The loginManager managed bean:
@ManagedBean
@SessionScoped
public class LoginManager implements Serializable {
@EJB private UserService userService;
private User user;
private String email;
private String password;
public String login() {
user = userService.findBy(email, password);
if (user == null) {
// FacesMessage stuff
} else {
return "/user/welcome.xhtml?faces-redirect=true";
}
}
public String logout() {
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
return "/index.xhtml?faces-redirect=true";
}
// Getters, setters (no setter for user) and serialVersionUID
And then comes the filter that protects the user area:
@WebFilter(urlPatterns="/user/*", displayName="UserFilter")
public class UserFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
HttpSession session = ((HttpServletRequest)request).getSession(false);
LoginManager loginManager =
(LoginManager) session.getAttribute("loginManager");
if (loginManager == null || !loginManager.hasUser()) {
HttpServletResponse resp = (HttpServletResponse) response;
resp.sendRedirect("index.xhtml");
}
final User user = loginManager.getUser();
if (user.isValid()) {
chain.doFilter(request, response);
} else {
HttpServletResponse resp = (HttpServletResponse) response;
resp.sendRedirect("index.xhtml");
}
}
The UserService is just a stateless EJB that handles persistence.
Part of the JSF for user area:
<h:form>
<p:panelMenu>
<p:submenu label="Items">
<p:menuitem value="Add item" action="#{userItens.addItems}" ajax="false"/>
<p:menuitem value="My items" />
</p:submenu>
</p:panelMenu>
</h:form>
And finally the userItens managed bean.
@ManagedBean
@RequestScoped
public class UserItens {
private User user;
@PostConstruct
private void init() {
HttpSession session = (HttpSession) FacesContext.getCurrentInstance()
.getExternalContext().getSession(false);
LoginManager loginManager =
(LoginManager) session.getAttribute("loginManager");
if (loginManager != null)
user = loginManager.getUser();
}
public String addItems() {
// Doesn't get here. Seems like UserFilter comes first, doesn't find
// an user and redirects.
}
I'm using glassfish and session timeout is now on 0.