1 Reply Latest reply on Jun 4, 2010 9:41 AM by Sean Tozer

    Browser's back button redirects to the previously viewed page after log out

    Anitha Raj Newbie
      Hello all,

      I have created an application using seam gen. The problem is with log out functionality. After logging out, the user will be redirected to the log in page and if the back button in the browser is clicked then it takes the user back to the previously viewed page and all the pages can be viewed and edited.
      There is no security to the application??

      Please help in solving this.

      This is my logout link:

      <s:link id="menuLogoutId" view="/login.xhtml" action="#{identity.logout}" value="Logout" rendered="#{identity.loggedIn}" propagation="none"/>


      Here is my pages.xml:

      <?xml version="1.0" encoding="UTF-8"?>
      <pages xmlns="http://jboss.com/products/seam/pages"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://jboss.com/products/seam/pages http://jboss.com/products/seam/pages-2.2.xsd"

             no-conversation-view-id="/home.xhtml"
             login-view-id="/login.xhtml">

          <page view-id="*">
              <navigation>
                  <rule if-outcome="home">
                      <redirect view-id="/home.xhtml"/>
                  </rule>
              </navigation>
          </page>

      <exception class="org.jboss.seam.framework.EntityNotFoundException">
              <redirect view-id="/error.xhtml">
                  <message severity="warn">Record not found</message>
              </redirect>
          </exception>
         
          <exception class="javax.persistence.EntityNotFoundException">
              <redirect view-id="/error.xhtml">
                  <message severity="warn">Record not found</message>
              </redirect>
          </exception>
         
          <exception class="javax.persistence.EntityExistsException">
              <redirect view-id="/error.xhtml">
                  <message severity="warn">Duplicate record</message>
              </redirect>
          </exception>
         
          <exception class="javax.persistence.OptimisticLockException">
              <end-conversation/>
              <redirect view-id="/error.xhtml">
                  <message severity="warn">Another user changed the same data, please try again</message>
              </redirect>
          </exception>
         
          <exception class="org.jboss.seam.security.AuthorizationException">
              <redirect view-id="/error.xhtml">
                  <message severity="error">You don't have permission to access this resource</message>
              </redirect>
          </exception>
         
          <exception class="org.jboss.seam.security.NotLoggedInException">
              <redirect view-id="/login.xhtml">
                  <message severity="warn">#{messages['org.jboss.seam.NotLoggedIn']}</message>
              </redirect>
          </exception>
         
          <exception class="javax.faces.application.ViewExpiredException">
              <redirect view-id="/login.xhtml">
                  <message severity="warn">Your session has timed out, please try again</message>
              </redirect>
          </exception>
         
          <exception class="org.jboss.seam.ConcurrentRequestTimeoutException" log-level="trace">
            <http-error error-code="503" />
          </exception>
          
          <exception>
              <redirect view-id="/error.xhtml">
                  <message severity="error">Unexpected error, please try again</message>
              </redirect>
          </exception>
         
      </pages>

        • 1. Re: Browser's back button redirects to the previously viewed page after log out
          Sean Tozer Newbie

          The seam-gen application doesn't have any security restrictions by default. They're easy to add, though. You just need your authentication method to add roles to the user when they log in:


          identity.addRole('person_visitor')



          and then you restrict pages in the page descriptor to require those roles:


          <restrict>#{s:hasRole('person_visitor')}</restrict>



          That can be done either in the global pages.xml or the individual x.page.xml descriptors.


          Note that by default, the seam-gen login page just accepts anything as a valid login, you have to actually write an authenticator, since seam-gen doesn't know how you want to validate a user:


          <security:identity authenticate-method="#{authenticator.authenticate}" />