j_security_check and session timeout issue
khundley1 Jan 26, 2007 6:08 PMI've seen a lot of postings in regards to j_security_check problems but they all seem to be related to calling the login page directly. I am having an issue related to j_security_check after a session timeout occurs. Any help would be appreciated!
Environment - jboss 4.0.4 GA, Seam 1.0.1 GA, ebj3, facelets
A user logs into application then logs out and leaves the browser open. If they log back in after a session timeout the error: HTTP Status 400 - Invalid direct reference to form login page is displayed. However, if the user does a refresh on the browser after a session timeout then logs in - the error doesn't occur. The login form is not directly called anywhere in the application. When a user accesses MainPage and is not logged in they are redirected to the Login.jsp. Code snippets listed below. Any ideas why MainPage is not redirecting to Login.jsp after a session timeout occurs?
Thanks!
web.xml snippet <session-config> <session-timeout>60</session-timeout> </session-config> <login-config> <auth-method>FORM</auth-method> <form-login-config> <form-login-page> /jsp/Login.jsp?failed=false </form-login-page> <form-error-page> /jsp/Login.jsp?failed=true </form-error-page> </form-login-config> </login-config> faces-config.xml snippet <navigation-rule> <navigation-case> <from-outcome>login</from-outcome> <to-view-id>/jsp/Login.jsp</to-view-id> </navigation-case> <navigation-case> <from-outcome>home</from-outcome> <to-view-id>/jsf/document/MainPage.xhtml</to-view-id> <redirect /> </navigation-case> </navigation-rule> Login.jsp <form name="loginForm" action="j_security_check" method="post"> <tr> <th colspan="2"><div class="dragbar">Login</div></th> </tr> <tr> <td class="label">User Name:</td> <td><input type="text" id="j_username" name="j_username" tabindex="1"></td> </tr> <tr> <td class="label">Password:</td> <td><input type="password" name="j_password" tabindex="3"> <input type="submit" value="Login"></td> </tr> </form> LogoutAction.java import javax.annotation.security.PermitAll; import javax.ejb.Stateless; import org.jboss.seam.Seam; import org.jboss.seam.annotations.Name; @Name("logout") @Stateless @PermitAll public class LogoutAction implements Logout { public String logout() { try { Seam.invalidateSession(); } catch (Exception e) {} return "home"; } }