[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-1860) login-required and no-conversation-view-id causes infinite redirect after session timeout on POST request

Thu Aug 30 19:53:18 EDT 2007

    [ http://jira.jboss.com/jira/browse/JBSEAM-1860?page=comments#action_12374705 ] 

Jacob Orshalick commented on JBSEAM-1860:
-----------------------------------------

It turns out that this issue stems from using client side state-saving with JSF.  When I change my application to server side state-saving it functions as expected.  It appears that with client side state-saving, the FacesPage instance is restored from the context even if the session timed out.  If a long-running conversation is in progress this becomes a problem due to the following execution in the SeamPhaseListener:

...
protected void afterRestoreView(FacesContext facesContext)
{
      FacesLifecycle.resumePage();
      Map parameters = facesContext.getExternalContext().getRequestParameterMap();

      /** The next call restores the FacesPage and sets 
                ConversationPropagation.validateLongRunningConversation = true
            if client side state-saving is turned on and a long-running conversation was in progress
            before the session timeout */
      ConversationPropagation.instance().restoreConversationId(parameters);

      /** The next call returns a false value because 
           ConversationPropagation.validateLongRunningConversation
           was set to true but the conversation does not exist (since the session timed out) */
      boolean conversationFound = Manager.instance().restoreConversation();
      FacesLifecycle.resumeConversation( facesContext.getExternalContext() );

      /** postRestorePage now ends up trying to redirect to the no-conversation-view-id since which is not
           what we really wanted.  Once the redirect occurs, if a login is required on the page being redirected to, 
           another redirect to the login page is attempted which results in the IllegalStateException (since 2 
           redirects cannot occur in the same request) */
      postRestorePage(facesContext, parameters, conversationFound);            
   }
...

Hope this helps.  A work-around is to use server-side state saving if your application allows.  Please let me know if you have any other questions.

> login-required and no-conversation-view-id causes infinite redirect after session timeout on POST request
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: JBSEAM-1860
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-1860
>             Project: JBoss Seam
>          Issue Type: Bug
>    Affects Versions: 2.0.0.BETA1
>            Reporter: Jacob Orshalick
>         Assigned To: Shane Bryzak
>             Fix For: 2.0.0.CR1
>
>
> When a page is setup as login-required="true" in pages.xml and a no-conversation-view-id is specified an infinite redirect occurs if the session times out and a POST request is then made by the user. Here is a snippet of my pages.xml configuration: 
> <pages login-view-id="/common/login.jsp">
> 	<!-- Security configuration -->
> 	<page view-id="*" scheme="http"/>
> 	
> 	<page view-id="/administration/*" scheme="http" login-required="true">
> 		<restrict>#{s:hasRole('Administrator')}</restrict>
> 	</page>
> 	
> 	<page view-id="/status/*" login-required="true" no-conversation-view-id="/status/search.xhtml">
> 		<restrict>#{s:hasRole('appRole')}</restrict>
> 	</page>
> When accessing a page under /status/* the first access always redirects to login.jsp as expected. The user then logs in and continues working with the application. If the HTTP session is then allowed to timeout, a GET request will behave as expected and redirect to the login.jsp. A POST on the other hand will cause an infinite redirect.  The stacktrace can be found at the forum reference.
> If the no-conversation-view-id is removed, the redirect works as expected but or course an error occurs if you return to a page that requires a conversation after logging in.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira