问题
I'm using form based authentication.
I have a logout link which looks like:
<h:commandLink action="#{loginBean.logout}">
<h:outputText value="logout" />
</h:commandLink></div>
And the corresponding logout method:
public String logout() {
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
return "/view/index?faces-redirect=true"; // Redirect added as per BalusC's suggestion.
}
After hitting the logout link I'm returned to the front page, but seemingly without CSS. When I hit a button to run a search I get the following error:
javax.faces.application.ViewExpiredException: viewId:/view/index.jsf - View /view/index.jsf could not be restored.
And yet the CSS is actually under /resources which shouldn't require authentication as I understand my web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>fizio</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Unprotected area</web-resource-name>
<url-pattern>/resources/*</url-pattern>
</web-resource-collection>
</security-constraint>
From this state I seem to be able to login again and see some data between occasional view-could-not-be-restored errors, but no CSS. It's all a bit broken really. Any suggestions would be appreciated.
ETA: Login form:
<form method="POST" action="j_security_check">
<label for="j_password">Username:</label> <input type="text" name="j_username" />
<br />
<label for="j_password">Password:</label> <input type="password" name="j_password" /> <input type="submit" value="Login" />
</form>
回答1:
You need to redirect after invalidate. Otherwise the page is been shown in midst of the "invalidated" session. Add faces-redirect=true to the outcome to trigger the redirect.
public String logout() {
FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
return "/index?faces-redirect=true";
}
The redirect will cause the webbrowser to fire a new GET request after the POST response and in turn cause the server to create a brand new session. This way the views will work as intended.
As to the CSS resources, they apparently still need a login. The "Unprotected area" constraint which you have there is not going to work. Remove it and change the URL-pattern of your main security constraint to for example /app/* or whatever a common path of the secured area is.
来源:https://stackoverflow.com/questions/7148290/jsf-life-after-logout