-
1. Re: Difference between session timeout and not logged in yet
to restrict a page, in pages.xml:
<page view-id="/report.xhtml" login-required="true" />
to redirect to login page, when attempting to access a restricted page:<exception class="org.jboss.seam.security.NotLoggedInException"> <redirect view-id="/login.xhtml"> <message>Please log in first</message> </redirect> </exception>
-
2. Re: Difference between session timeout and not logged in yet
Hi wquraishi,
Thanks a lot for your reply. However, I am using exactly the same configuration as yours.
My question is how to differ session timeout from a newly created session. If I bookmark a page requiring login, it is desired that the application redirects me to the login page and the message "Please log in first" is fine. However, if I have been inactive for a while thus my session times out, it is preferred to display a message like "Your session times out. Please login again".
Is this possible with Seam?
Thanks,
Sheng -
3. Re: Difference between session timeout and not logged in yet
seems like a good intuitive idea, how do we get our apps to show session expired message?
-
4. Re: Difference between session timeout and not logged in yet
You have to make some assumptions here, but you can basically notify the user when the server session has ended with the following in a PhaseListener:
@Observer("org.jboss.seam.beforePhase") public void beforePhase(PhaseEvent event) { if(event.getPhaseId() == PhaseId.RESTORE_VIEW) { HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance() .getExternalContext().getRequest(); if(request.getRequestedSessionId() != null && request.getSession().isNew()) Events.instance().raiseEvent("org.myOrg.sessionExpired"); ...
Based on general cookie settings this will raise the event when the user still has the browser window open, the http session expired, and the user tries to access the app. If the user closes and reopens the browser to start the application, the event will not be raised.
This of course makes the assumption that cookies expire when the browser session is ended (which is generally the case). Good luck. -
5. Re: Difference between session timeout and not logged in yet
Good afternoon Jacob,
Thanks a lot for the reply. I followed your suggestion but still have a problem. That is, I cannot add a message to be displayed on the logon page.
In my components.xml,
In my AuthenticatorAction, I have
public void sessionExpired() {
FacesMessages.instance().add("Your session is expired, please login again");
}
I got an warning and the message is not displayed. I also tried to inject facesMessages
@In(create=true)
FacesMessages facesMessages;
Then use
facesMessages.add("Your session is expired, please login again");
Then I got another warning saying facesMessages cannot be null. I checked the forum and one user says facesMessages is not available at the RESTORE_VIEW phase.
Could you give me more information regarding how to make this work or there is a possible workaround? Thank you very much for your help.
Have a nice day!
Best regards,
Sheng -
6. Re: Difference between session timeout and not logged in yet
Sorry that don't know why some contents do not get displayed.
My components.xml is as follows:
Thanks,
Sheng -
-
8. Re: Difference between session timeout and not logged in yet
Sorry in my components.xml, I have the following setup:
event type="sessionExpired"
action expression="#{authenticator.sessionExpired}"
Thanks,
Sheng -
9. Re: Difference between session timeout and not logged in yet
"xshuang" wrote:
Then I got another warning saying facesMessages cannot be null. I checked the forum and one user says facesMessages is not available at the RESTORE_VIEW phase.
Yes, you can maintain a list of custom messages in an appropriately scoped component. Observe the event as you are and add the session expired message to your message component.
Then prior to rendering the login page, invoke your messages component to add the messages to FacesMessages (which you can do by specifying an action in pages.xml). FacesMessages will be available in the context at that time. This serves as a workaround which I have used on several occasions for messages that are initiated prior to the RESTORE_VIEW.
Also, if anyone else has a better way to initiate messages prior to RESTORE_VIEW I would certainly like to hear it :) Hope that helps. -
10. Re: Difference between session timeout and not logged in yet
Jacob, we could add a specific session expired event to Seam as well as a new session event. Please file a feature request with the code snippets you posted above.
-
11. Re: Difference between session timeout and not logged in yet
A JIRA issue has been raised:
http://jira.jboss.com/jira/browse/JBSEAM-2257 -
12. Re: Difference between session timeout and not logged in yet
Good morning Jacob,
Thanks a lot for the suggestion again. It is nice to have a work-around before a clean solution is implemented by the Seam development team. And I have learned a lot about JSF phases and Seam messages/facesMessages with your code.
Now I have the message displayed correctly when a user's session is expired. However, it seems that the PhaseListener also raises the session expiry event when a user logout. My goal is to differ these two scenarios. Is there a way to raise two different events with the PhaseListener?
By the way, my implementation is as follows:
Code:
1. AuthenticatorAction
public void sessionExpired() {
user.setMessage("user.session.timeout");
}
Where user is a session scope variable. This serves as the appropriately scoped message component you mentioned.
2. pages.xml
<page view-id="/security/login.xhtml">
....
3. AuthenticatorAction
public void displaySessionExpiredMessage() {
if (user != null){
if (user.getMessage() != null) {
FacesMessages.instance().addFromResourceBundle(user.getMessage());
}
user.setMessage(null);
}
}
Thank you very much for your help and have a nice day.
Best regards,
Sheng -
13. Re: Difference between session timeout and not logged in yet
Hmm... yes, I suppose that would be the case if you redirected directly to the login page after logout... I have not had to cover that case.
The best option I can think of is putting a page in between that simply displays something like "You have successfully logged out" and then perform a meta redirect to the login page after a few seconds. Very easy to setup with a navigation rule and actually pretty common on web-sites. That should avoid your issue.
On another note, there is now an event "org.jboss.seam.loggedOut" but any information you set in the session of course would be lost once the session is invalidated by the logout. I can't think of an way (without some really ugly hacks) that you could use this event to accomplish what you want to do. See the following for more information on this event:
http://jira.jboss.com/jira/browse/JBSEAM-2063 -
14. Re: Difference between session timeout and not logged in yet
The best option I can think of is putting a page in between that simply displays something like "You have successfully logged out" and then perform a meta redirect to the login page after a few seconds.
On second look, this should be further specified, sorry. The redirect is going to have to include some information in the URL to indicate that a logout occurred. For example,<meta http-equiv="Refresh" content="2; URL=/myApp/login.seam?logout=true">
This parameter allows you to differentiate between session timeout and logout when adding the message.
On further thought, you may also be able to use the logout event to redirect to the login page with the logout parameter provided. This would avoid the page in between. I would certainly like to hear the solution you go with just in case I have to do this myself :)