0 Replies Latest reply on Dec 1, 2009 10:46 AM by Felix Siegrist

    RememberMe with autoLogin mode (token based) eventually redirects to login page

    Felix Siegrist Newbie

      I'm using Seam 2.2.0 and want to add the auto login feature to our application. I therefore added the following fragment to components.xml:

          <security:identity authenticate-method="#{authenticator.authenticate}" />
          <security:remember-me mode="autoLogin" />
          <event type="org.jboss.seam.security.notLoggedIn">
              <action execute="#{redirect.captureCurrentView}" />
              <action execute="#{identity.tryLogin}" />
          </event>
          <event type="org.jboss.seam.security.postAuthenticate">
              <action execute="#{redirect.returnToCapturedView}" />
          </event>

      We use our own token store, that's why it is not configuered here.

      As soon as a not yet logged in user providing the token cookie tries to access a page having the login-required attribute set to true, the quiet login is executed, the redirect component executes returntoCapturedView() but then Seam still redirects to the login page (the user being logged in already).

      In the pages component (org.jboss.seam.navigation.Pages) I found the following code:

         public void redirectToLoginView()
         {
            notLoggedIn();
           
            String loginViewId = getLoginViewId();
            if (loginViewId==null)
            {
               throw new NotLoggedInException();
            }
            else
            {
               Manager.instance().redirect(loginViewId);
            }
         }
        
      notLoggedIn() just fires the notLoggedIn event. As a result of this event, the redirect component captures the current view and the remember-me component performs the quiet login (as a result of identity.tryLogin). After the quiet login the postAuthenticate event is fired triggering the redirect component to execute its returnToCapturedView() method. So far so good. But now the notLoggedIn() method returns and the pages component redirects to the login page.

      Did I miss something in the documentation chapter 15.3.5? How can I suppress the redirect to the login page?