2 Replies Latest reply on Feb 4, 2008 7:32 PM by shane.bryzak

    Login issue

    baspet
    baspet Feb 4, 2008 7:55 AM

      Hi,
      i am facing a strange behaviour running the scenario below:
      a) user supplied valid username - password and successfully logged in
      b) press back button on browser
      c) relogin supplying invalid username or password
      d) successfully logs in!!

      it seems that seam 'remembers' that user was already logged in and doesn't call authenticate method, allowing a non existing user to enter. Is that expected?

      A workaround is to override org.jboss.seam.security.Identity.Identity and call login method as followes:

      @Name("org.jboss.seam.security.identity")
@Scope(SESSION)
@Install(precedence = APPLICATION)
@BypassInterceptors
@Startup
public class AppIdentity extends Identity {

 @Override
 public String login() {
 unAuthenticate();
 return super.login();
 }

}


      I just wonder why unAuthenticate() is not called through Identity.login()

      V.


      • 1719 Views
      • Tags:
        • 1. Re: Login issue
          shane.bryzak
          shane.bryzak Feb 4, 2008 6:58 PM (in response to baspet)

          Well of course Seam 'remembers' - authentication is session scoped and simply hitting the back button won't destroy your session. If the user is already authenticated then calling Identity.login() again won't re-authenticate the user again, if you want that kind of behaviour then you'll need to create a page action that calls Identity.logout(). The best I can do if the user is already authenticated is to return a message stating so.

            • Actions
          • 2. Re: Login issue
            shane.bryzak
            shane.bryzak Feb 4, 2008 7:32 PM (in response to baspet)

            Actually a page action won't be invoked if you hit the browser back button, but I've made changes in SVN that will now generate a message if you're already authenticated and try to log in again.

              • Actions