ICEsoft.org Forums: ICEfaces, ICEmobile, ICEpdf

Hi,

Right after a session timed out, can I recreate a new session by redirecting the user to a login page(or something like that)?

The behaviour now is, when the session expired, I can do much even if I try to login from the front page again.

Help?

Hi,

If you're using container-managed security, you can set this up to automatically redirect to a login page. In your web.xml, just define your form-based authentication and login page:

<security-constraint>
<web-resource-collection>
<web-resource-name>SecurePages</web-resource-name>
<description>Security constraint for resources in the secure directory</description>
<url-pattern>/secure/*</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>

<auth-constraint>
<description>only let the system user login </description>
<role-name>admin</role-name>
</auth-constraint>

<user-data-constraint>
<description>SSL not required</description>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>

<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/LoginForm.iface</form-login-page>
<form-error-page>/LoginError.html</form-error-page>
</form-login-config>
</login-config>

Thanks,
Philip

Philip: Essentially, what your saying is instead of seeing the overlay Session Timeout screen on my page of where the session timed out or the page errored, by using container-managed security I can redirect a user to a new login page or page of my choice?

Thanks,

--Todd

Hi,

Yes, the container should intercept any requests to secured resources and redirect to a login page if the session has expired.

Thanks,
Philip

Thank you, I'll give a go and see how it works out.

Thanks again.

Hi,

Even with container managed security, when session expired, when I click on a icefaces link, I didn't get back to the login page. I have to use browser reload button to get back to the login page. To me this is not a desired behavior. Do you have any suggestion how to solve this issue? I tried to implement a servlet filter to handle session expiration redirect, but I have similar problem. Once the session expires, icefaces will not respond to any mouse click unless a page reload.

thanks

Anyone solved this? We have similar problems...

Any updates on this issue? I'm facing a similar situation.

I've a connection status component I'm using on the top right of the page. AFter the session times out I can see a red mark on it which indicates to me that the session expired. But for a novice user of my application, this is not intuitive at all.

Currently I've to tell the user to click the browser 'Reload' button to activate the container security to make the application go back to the login screen!!

Users are more accustomed to the page automatically getting redirected to another page which states that their session had expired and possibly present new buttons/links to log back in.

How can I do this with ICEfaces?

Regards,
Eashwaran.

Hi,

you just need to add this lines into your web.xml, in order to redirect on the login page when session is broken:

<context-param>
<param-name>
com.icesoft.faces.connectionLostRedirectURI
</param-name>
<param-value>'/index.jsp'</param-value>
</context-param>

regards
Bal.

I made a filter to detect session expiration but this was not enough, you need to refresh the page...

I will try with a listener that checks session state and send a redirect order with server push right before session timeout.

Baleyba wrote:

Hi,

you just need to add this lines into your web.xml, in order to redirect on the login page when session is broken:

<context-param>
<param-name>
com.icesoft.faces.connectionLostRedirectURI
</param-name>
<param-value>'/index.jsp'</param-value>
</context-param>

regards
Bal.

Wow! that works really well. Thanks, that was just what I needed :-) (New Note Added: pls see next message too)

One thing to note though: The param-value's value needs to be inside single quotes, just like you have shown; if not the ICEfaces page encounters javascript errors (for me it said 'configuration' not found, probably because I had this definition without quotes in the param-value just above the contextConfigLocation param-value definition).

Thanks again,
Eashwaran.

Hello Baleyba,

I've seen some issues with the connectionLostRedirectURI approach. Yes this does work when session times out, but that is not just it!

It also kicks in when some uncaught exceptions are triggered on the server. It also seems to kick in when there is a network delay and the connection to the server is intermittently lost, but long enough for this feature to transition the app to the lost uri page. My lost uri page has a 'Click here to login' link, and clicking ont this just takes me back into the application without going through the login page. This indicates that teh session really did not expire, it was just network delay.

I think what we need is a new parameter (say sessionExpiredRedirectURI) that would allow us to configure a new page for just session expiry.

Regards,
Eashwaran.

pred wrote:

I made a filter to detect session expiration but this was not enough, you need to refresh the page...

I will try with a listener that checks session state and send a redirect order with server push right before session timeout.

I tried a filter following http://www.netbeans.org/kb/55/sessionredirect.html example. Mapping this filter to Persistent Faces Servlet didn't seem to get me to the code that calls sendRedirect (i.e. isNew true and firstRequest != 0). But when I mapped this filter to Blocking Servlet, this redirect code seems to kickin. But nothing happens on my browser! When I click refresh on browser, my login page comes up, which is a result of ACEGI security filters that are in place in my application.

I tried to see if the combo of redirectURI and the filter works, but the redirectURI always wins!

We really need a way for ICEfaces to detect session timeout, not other issues like uncaught exceptions or network delays.

Regards,
Eashwaran.