5 Replies Latest reply on Feb 27, 2011 7:07 PM by kragoth

Issue with "auto-logout"

tomwhitner Feb 21, 2011 2:28 PM

I just discovered that a commented out commandlink with action\="\#{identity.logout()}" on an xhtml page will cause Seam to logout the user every time the page is processed.

<html xmlns="http://www.w3.org/1999/xhtml"
     xmlns:ui="http://java.sun.com/jsf/facelets"
     xmlns:h="http://java.sun.com/jsf/html">
<body>
 <h2>Welcome</h2>
 <h:form>
  <!-- 
  <h:commandLink rendered="#{identity.isLoggedIn()}" 
     action="#{identity.logout()}">Logout</h:commandLink>
  -->
 </h:form> 
 <h:form>
  <div>
   <h:outputText value="Please enter your username and password:" /> 
   <h:inputText value="#{credentials.username}" /> 
   <h:inputSecret value="#{credentials.password}" />
  </div>
  <div>
   <h:commandButton action="#{identity.login}" value="Login" />
  </div>
  <h:messages styleClass="messages" />
 </h:form>
</body>
</html>

I have created a small sample with the following for my authenticator

@Stateless
@Name("login")
public class LoginAction implements Login {

     @Logger
     private Log log;

     public boolean login() {
          return true;
     }

     @Observer("org.jboss.seam.security.loginSuccessful")
     public void onSuccessfulLogin() {
          log.info("Login successful.");
     }

     @Observer("org.jboss.seam.security.loggedOut")
     public void onLogout() {
          log.info("User Logged Out.");
     }

}

With the command link uncommented, I see

2011-02-21 14:17:48,924 INFO  [session.LoginAction] (http-127.0.0.1-8080-1) Login successful.
2011-02-21 14:17:59,267 INFO  [session.LoginAction] (http-127.0.0.1-8080-1) User Logged Out.

Note the 11 second delay before I pressed the logout button. When I comment out the command link (as in the example above), I see the following:

2011-02-21 14:20:40,948 INFO  [session.LoginAction] (http-127.0.0.1-8080-1) Login successful.
2011-02-21 14:20:40,979 INFO  [session.LoginAction] (http-127.0.0.1-8080-1) User Logged Out.

Note that I did NOT push the logout button, and the logout happens 21 ms after I pressed login. Somehow the EL is being processed when the commandlink element is commented out.

I think this is a defect/bug. Has anyone seen this? Is this a know issue? If so, please point me to more information (Jira, doc, etc.). Otherwise, I will open an issue in Jira.

Thanks,
Tom

1. Re: Issue with "auto-logout"

kragoth Feb 21, 2011 8:00 PM (in response to tomwhitner)
If you are using facelets do you have this in your web.xml

<context-param> <param-name>facelets.SKIP_COMMENTS</param-name> <param-value>true</param-value> </context-param>

If you are not using facelets then....I'd have to have a bit more of a think about this :P

But, out of curiosity, try the page with just one form and not 2.
Actions
2. Re: Issue with "auto-logout"

cash1981 Feb 25, 2011 5:06 AM (in response to tomwhitner)

Yes I agree.
It must be this. Its best to uncomment the <h:form> also, and not just the button
Actions
3. Re: Issue with "auto-logout"

tomwhitner Feb 25, 2011 3:30 PM (in response to tomwhitner)
Thanks. I am using facelets and this did the trick...

<context-param> <param-name>facelets.SKIP_COMMENTS</param-name> <param-value>true</param-value> </context-param>

but it seems to me this should be the default (and maybe only) behavior. Why is is facelets processing HTML comments and executing the EL it finds there?
Actions
4. Re: Issue with "auto-logout"

tomwhitner Feb 25, 2011 3:31 PM (in response to tomwhitner)

BTW, the reason for the two forms was that in the original application that I was debugging, I had the logout button in a template which requried the second form.
Actions
5. Re: Issue with "auto-logout"

kragoth Feb 27, 2011 7:07 PM (in response to tomwhitner)

Multiple forms can get really nasty to deal with. If it is early enough in the dev cycle to change to one form I would recommend that. If not, oh well....fun times are ahead :)
Actions

Go to original post