[jboss-user] [Security & JAAS/JBoss] - j_security_check and session timeout issue

Fri Jan 26 18:08:26 EST 2007

I've seen a lot of postings in regards to j_security_check problems but they all seem to be related to calling the login page directly. I am having an issue related to j_security_check after a session timeout occurs. Any help would be appreciated!
Environment - jboss 4.0.4 GA, Seam 1.0.1 GA, ebj3, facelets

A user logs into application then logs out and leaves the browser open. If they log back in after a session timeout the error: HTTP Status 400 - Invalid direct reference to form login page is displayed. However, if the user does a refresh on the browser after a session timeout then logs in - the error doesn't occur. The login form is not directly called anywhere in the application. When a user accesses MainPage and is not logged in they are redirected to the Login.jsp. Code snippets listed below. Any ideas why MainPage is not redirecting to Login.jsp after a session timeout occurs? 
Thanks!

web.xml snippet
  | <session-config>
  | 	<session-timeout>60</session-timeout>
  | </session-config>
  | <login-config>
  | 	<auth-method>FORM</auth-method>
  | 	<form-login-config>
  | 		<form-login-page>
  | 			/jsp/Login.jsp?failed=false
  | 		</form-login-page>
  | 		<form-error-page>
  | 			/jsp/Login.jsp?failed=true
  | 		</form-error-page>
  | 	</form-login-config>
  | </login-config>
  | faces-config.xml snippet
  | <navigation-rule>
  | 	<navigation-case>
  | 		<from-outcome>login</from-outcome>
  | 		<to-view-id>/jsp/Login.jsp</to-view-id>
  | 	</navigation-case>
  | 	<navigation-case>
  | 		<from-outcome>home</from-outcome>
  | 		<to-view-id>/jsf/document/MainPage.xhtml</to-view-id>
  | 		<redirect />
  | 	</navigation-case>
  | </navigation-rule>
  | Login.jsp
  | <form name="loginForm" action="j_security_check" method="post">
  | 	<tr>
  | 		<th colspan="2"><div class="dragbar">Login</div></th>
  | 	</tr>
  | 	<tr>
  | 		<td class="label">User Name:</td>
  | 		<td><input type="text" id="j_username" name="j_username" tabindex="1"></td>
  | 	</tr>
  | 	<tr>
  | 		<td class="label">Password:</td>
  | 		<td><input type="password" name="j_password" tabindex="3"> <input type="submit" value="Login"></td>
  | 	</tr>
  | </form>
  | LogoutAction.java
  | import javax.annotation.security.PermitAll;
  | import javax.ejb.Stateless;
  | import org.jboss.seam.Seam;
  | import org.jboss.seam.annotations.Name;
  | 
  | @Name("logout")
  | @Stateless
  | @PermitAll
  | public class LogoutAction implements Logout {
  |      public String logout() {
  |         try {
  |            Seam.invalidateSession(); 
  |         } catch (Exception e) {}
  |         return "home";
  |     }
  | }

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4007061#4007061

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4007061