2 Replies Latest reply on Feb 4, 2008 7:32 PM by Shane Bryzak

    Login issue

    Vassilis Petropoulos Newbie

      Hi,
      i am facing a strange behaviour running the scenario below:
      a) user supplied valid username - password and successfully logged in
      b) press back button on browser
      c) relogin supplying invalid username or password
      d) successfully logs in!!

      it seems that seam 'remembers' that user was already logged in and doesn't call authenticate method, allowing a non existing user to enter. Is that expected?

      A workaround is to override org.jboss.seam.security.Identity.Identity and call login method as followes:

      @Name("org.jboss.seam.security.identity")
      @Scope(SESSION)
      @Install(precedence = APPLICATION)
      @BypassInterceptors
      @Startup
      public class AppIdentity extends Identity {
      
       @Override
       public String login() {
       unAuthenticate();
       return super.login();
       }
      
      }
      
      


      I just wonder why unAuthenticate() is not called through Identity.login()

      V.


        • 1. Re: Login issue
          Shane Bryzak Master

          Well of course Seam 'remembers' - authentication is session scoped and simply hitting the back button won't destroy your session. If the user is already authenticated then calling Identity.login() again won't re-authenticate the user again, if you want that kind of behaviour then you'll need to create a page action that calls Identity.logout(). The best I can do if the user is already authenticated is to return a message stating so.

          • 2. Re: Login issue
            Shane Bryzak Master

            Actually a page action won't be invoked if you hit the browser back button, but I've made changes in SVN that will now generate a message if you're already authenticated and try to log in again.