2 Replies Latest reply on Mar 3, 2009 5:09 PM by hb3

    Quit login not working

    stephen

      I try to integrate my app with a custom SSO solution.
      To do this I looked at RememberMe and quickly found that it is not what I need. (The SSO cookie is opaque for me. I have no idea what its format is like - it is only validated by a web service. And btw it really should not contain the password).


      So, I tried to use the same underlying mechanism that Remember me uses, i.e. listenening for the events


      Credentials.EVENT_INIT_CREDENTIALS


      and


      Identity.EVENT_QUIET_LOGIN


      However the second event never happens if I hit a page that requires login while not being logged in, for example


      <page view-id="/contact-data.xhtml" login-required="true">
          <rewrite pattern="/contact-data"/>
      </page>
      



      Instead I am taken to the log-in page. However if I remove the login-required from the page definition and add a <restrict>-tag then everything works as designed.


      I found the culprit to be the code that checks if a redirect to the login page is required. It never tries a quite login.
      See Pages.java:



         private boolean isLoginRedirectRequired(String viewId, Page page)
         {
            return page.isLoginRequired() && 
                  !viewId.equals( getLoginViewId() ) && 
                  !Identity.instance().isLoggedIn();
         }
      



      If I change this method like so, it works fine:



      private boolean isLoginRedirectRequired(String viewId, Page page) {
          if (!page.isLoginRequired() || viewId.equals(getLoginViewId())) {
              return false;
          }
          Identity identity = Identity.instance();
          identity.tryLogin();
          return identity.isLoggedIn();
      }



      Is this a bug/oversight or do I expect something that was never intended to work that way?