Hi Jeff,
Can you give me some ideas about how you use phase listener for security? Or
give me a link for more details.
Thank you,
Alin.
> I tried to modify the jsp-examples/security/protected example from
> Tomcat to see if the same problem appears with plain jsp. It does not
> appear.
Hmm, interesting...
I'm afraid I can't speak to that myself, as we use a phase listener for
security.
Is anyone here using the built-in FORM security model with Tomcat?
Alin Dosoniu wrote:
Hi Jeff,
Thank you for your quick answer.
Let me tell you more details about my application.
So, I use Tomcat and as security I have configured the FORM method. The
security constraint just say that under /app/* there is a protected area
and only "user" and "admin" users are allowed. There are /error.jsp and
/login.jsp pages used by authentication system.
In my application I have a commandLink like this
<h:commandLink id="logout_link" action="go_firstpage"
styleClass="header_right" >
<h:outputText value="#{msg['log_out']}"/>
<f:actionListener
type="app.listeners.LogOutListener"></f:actionListener>
</h:commandLink>
Navigation setting for go_firstpage is like this
<navigation-case>
<from-outcome>go_firstpage</from-outcome>
<to-view-id>/app/index.jsp</to-view-id>
</navigation-case>
/app/index.jsp only makes a sendRedirect to a page ending in jsf..
(main.jsf).
The navigation rule starts like this
<navigation-rule>
<from-view-id>*</from-view-id>
This is what I do in LogOutListener's processAction method:
FacesContext facesContext = FacesContext.getCurrentInstance();
HttpSession httpSession =
((HttpSession)facesContext.getExternalContext().getSession(false));
httpSession.invalidate();
I tried to modify the jsp-examples/security/protected example from Tomcat
to see if the same problem appears with plain jsp. It does not appear.
Thanks in advanced,
Alin.