Just a hunch:
Maybe the Identity object has gotten an application scope?
Or is it defined as a static?
In those cases it would / could already have a value when you start authenticating (again) by pressing the back button.
And most of the time you start by checking if a user is already logged on.
This is a serious problem.
2.0.3.CR1 is a pre-production release. The first step would be to test with a stable release, either 2.0.2.SP1 or, preferably, 2.1.1.GA.
The security framework has undergone major changes between 2.0.2 and 2.1.1.
PS As Hugo Pragt indicates in his reply, this could be caused by a programming error.
Thanks a lot for your answers.
The Identity object not static, actually it has the @In annotation with no scope declared.
Also, I've tried to update the framework to 2.1.1 but I have some incompatibility problems and I'm trying to solve them now.
Keep you in touch.
I've noticed after I press the browser back button (step 3 from above), get back to the login page, typing the credentials and hit the login button, the Authenticator.authenticate method is not called!!! Is this normal? This method is called only when I previously use logout link which invokes Identity.instance().logout() method.
I think this is the source of my problem. Any suggestion?
Thanks in advance,
Your going to have to post your code, we probably compnents.xml, the authenticator bean and probably the backing bean for the customer view that is being displayed incorrectly.
I've updated the seam framework used in our application from 2.0.3.CR1 to 2.1.1.GA and my problem dissapear! In the log files I noticed that if the user press browser back button after authentication and tries to login again, seam knows that the user is already logged in.
Still one minor problem left: some customers have 2 or more username/password pairs. If such a customer makes an order with one username then try to login with the second username going back to login page using browser back button, after a succesful login he will get the homepage associated with the first username because seam does not make another authentication knowing the first username was not logged out. Yes, I know it's a stupid thing but customers DON'T USE LOGOUT button...
Thanks a lot for your help,