1 Reply Latest reply on Sep 29, 2011 2:41 PM by ssilvert

    Does @FormAuthentication obey redirects

    martinuk

      My understanding of the documentation on testing secure pages using @FormAuthentication is that by the time the test executes and form authentication has been successful, if the app automatically redirects to a new viewId from login page, that should be the current viewId by the time the test method executes. In my tests this does not seem to be the case:

       

      @Test

      @InitialPage("/login.xhtml")

      @FormAuthentication(userName = "user", password = "pass", submitComponent = "login", userNameComponent = "username", passwordComponent = "password")

      public void testRedirectOnLogin(JSFSession jsfSession, JSFServerSession server, JSFClientSession client) {

      //server.getCurrentViewID() shows view id to still be /login.xhtml here, whereas app redirects to new viewId on successful login

      }

       

      The new viewId can be hit within the test using:

       

      WebClient webClient = jsfSession.getWebClient();

      webClient.getPage(WebConversationFactory.getWARURL() + "/home.xhtml");

       

      so @FormAuthentication is successful but the normal redirect is not working as expected.

       

      Should a redirect following authentication be followed and viewId be something different within test method, or is my understanding wrong?

        • 1. Re: Does @FormAuthentication obey redirects
          ssilvert

          I think your problem is in your @InitialPage.  The argument should be a JSF page like @InitialPage("/index.jsf").  When you specify @FormAuthentication you are saying that the JSF page is protected by a form.  So when you request http://mydomain/myapp/index.jsf you will be presented with a form.  If JSFUnit does a successfull login you will be redirected to index.jsf.  At this point JSFUnit returns control to the test and the proper view should be returned from getCurrentViewID().

           

          If your application is not using the "protected page" idiom then you might need to implement your own InitialRequestStrategy.

           

          Stan