CDI SessionScoped Bean generating lots of sessions

StackOverflow https://stackoverflow.com/questions/7166442

Question

I'm doing a login. The problem is: my isUserLoggedIn() method is called several times by other sessions (i've checked using (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false)).

The Login bean (of a JSF page) is this:

@Named
@SessionScoped
public class Login implements Serializable {

    @Inject
    private Credentials credentials;

    private UserData user;

    public String login() {
        if (this.credentials.getUsername().equals("daniel")) {
            user = new UserData("Daniel");
            return "success";
        }
        return "failure";
    }

    public boolean isUserLoggedIn() {
        return user != null;
    }

    public String logout() {
        user = null;
        ((HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false)).invalidate();
        return "success";
    }

    public String getUsername() {
        return getUser() == null ? "" : getUser().getUsername();
    }

    @Produces
    public UserData getUser() {
        return user;
    }
}

So, what happens is: when login() is called, I can see via getSession() that it is X, but then, afterwards while trying to access another page, when calling isUserLoggedIn(), the getSession() method returns Y instead of X, and the user attribute is null. Frequently the isUserLoggedIn() method is called several times with just 1 request, and it's session changes each time it is called.

By the way, I'm using JBoss AS7 Final, and my faces-config.xml is the following:

<?xml version="1.0" encoding="UTF-8"?>
<faces-config version="2.0" xmlns="http://java.sun.com/xml/ns/javaee"
    xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="         http://java.sun.com/xml/ns/javaee         http://java.sun.com/xml/ns/javaee/web-facesconfig_2_0.xsd">

    <navigation-rule>
        <from-view-id>/login.xhtml</from-view-id>
        <navigation-case>
            <from-action>#{login.login}</from-action>
            <from-outcome>success</from-outcome>
            <to-view-id>/secured/home.xhtml</to-view-id>
            <redirect />
        </navigation-case>
        <navigation-case>
            <from-action>#{login.login}</from-action>
            <from-outcome>failure</from-outcome>
            <to-view-id>/login.xhtml</to-view-id>
            <redirect />
        </navigation-case>
    </navigation-rule>
    <navigation-rule>
        <from-view-id>/*.xhtml</from-view-id>
        <navigation-case>
            <from-action>#{login.logout}</from-action>
            <from-outcome>success</from-outcome>
            <to-view-id>/login.xhtml</to-view-id>
            <redirect />
        </navigation-case>
    </navigation-rule>
</faces-config>

Any ideas? Thank you.

Was it helpful?

Solution

After some time back there I discovered that the problem had to do with the url path. The cookie was generated for a path and when changing the path and trying to access the session, it was generated another one.

Anyway, I discovered that this is definitely NOT the way to secure Java EE apps (see Java EE 6 manual), so I'm going other way.

Thanks.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top