-
1. Re: RememberMe with autoLogin mode (token based) still redirects to login page
fesi Feb 22, 2010 3:31 PM (in response to fesi)I see two possible work-arounds for this problem:
1. Replace the Pages component by your own implementation, which replaces the method isLoginRedirectRequired(String viewId, Page page) as follows:
Old: private boolean isLoginRedirectRequired(String viewId, Page page) { return page.isLoginRequired() && !viewId.equals( getLoginViewId() ) && !Identity.instance().isLoggedIn(); } New: private boolean isLoginRedirectRequired(String viewId, Page page) { if (page.isLoginRequired() && !viewId.equals( getLoginViewId() ) && !Identity.instance().isLoggedIn()) { notLoggedIn(); if (!Identity.instance().isLoggedIn()) { return true; } } return false; }
Unfortunately this method is private, so you cannot just override it :-(
2. Add a page action to the login page, which fires an org.jboss.seam.security.loginSuccessful event, if the user is already logged in, resulting in a call to Redirect.redirectToCapturedView().
I chose the second approach. (Note: I replaced the org.jboss.seam.security.postAuthenticate event from the original snippet by the org.jboss.seam.security.loginSuccessful event.)
Felix
-
2. Re: RememberMe with autoLogin mode (token based) still redirects to login page
fesi Feb 22, 2010 4:14 PM (in response to fesi)A similar problem arises when a component is secured using the @Restrict annotation. The Seam online documentation recommends to add an exception handler for the NotLoggedInException, redirecting to the login page.
<exception class="org.jboss.seam.security.NotLoggedInException" log="false"> <redirect view-id="/view/core/login.xhtml" /> </exception>
Before a call to a method of the secured component is executed, Seam calls Identity.checkRestriction(elExpr), which evaluates the EL expression defined in the @Restrict annotation. If the check fails because the user is not logged in, the org.jboss.seam.security.notLoggedIn event is fired followed by the NotLoggedInException being thrown. If the auto-login process is triggered by the org.jboss.seam.security.notLoggedIn event resulting in the user being logged in, the NotLoggedInException should no longer be thrown, but it is, thus redirecting the user to the login page again. This is quite annoying and the log-files are filled up with huge stack traces caused by the NotLoggedInException, which doesn't really indicate an exceptional state in this particular case.
Felix