tags:

views:

160

answers:

2
+1  Q: 

Strange problem with session.invalidate()

I have strange issue with logging in and out. I've implemented container-based security. I have Login/Logout links on all my pages (through template.xhtml) that are rendered or not based on backing bean boolean property (it's actually method isLoggedIn()). Also in backing bean I have method logout which is the action for Logout link (it's h:commandLink). Logout method returns String that redirects to login page through implicit JSF 2.0 navigation. Now when I deploy application I browse to my page it displays index.xhtml. From there I go to login page. I put my username/password click Login and it logs me in. But now I click Logout which calls backing bean logout method mentioned, which called does this:

public String logout() {
    HttpSession session = (HttpSession) FacesContext.getCurrentInstance().getExternalContext().getSession(false);
   //HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
   try {
       session.invalidate();
       //request.logout();
   } catch (Exception ex) {
       Logger.getLogger(PostController.class.getName()).log(Level.SEVERE, null, ex);
   }
   return "/ssl/login?faces-redirect=true";
}

Now after clicking Logout it redirects me back to login page when I again put username/password and click Login. But then strange thing happens because it displays me my index.xhtml but I'm not logged in. I have to go again to login page, retype credentials once again to finally be logged in. This happens only when I use session.invalidate() in backing bean logout() method. When I use request.logout() everything works fine. What's the problem?

Edited: isLoggedIn looks like this but I don't think it's a problem cause I created filter that redirects me (only when I'm logged in) to index.xhtml when I try to browse to login page. And it doesn't happen.

public boolean isLoggedIn() {
    HttpServletRequest request = (HttpServletRequest) FacesContext.getCurrentInstance().getExternalContext().getRequest();
    if(request.getUserPrincipal() != null)
        return true;
    else
        return false;
}

Edited: Here is scenario considering http headers: I request login.xhtml:

GET /blog-war/ssl/login.xhtml;jsessionid=edccb9f9a1c5fc77dbd7fc86f55b HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/blog-war/
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

Response:

HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Location: https://localhost:8181/blog-war/ssl/login.xhtml
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 197
Date: Sat, 04 Sep 2010 22:27:47 GMT

Moved temporarily so browser makes another request:

GET /blog-war/ssl/login.xhtml HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/blog-war/
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

Response:

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 1256
Date: Sat, 04 Sep 2010 22:27:47 GMT

I fill in username/password and click Login:

POST /blog-war/ssl/j_security_check HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://localhost:8181/blog-war/ssl/login.xhtml
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

Response:

HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Location: https://localhost:8181/blog-war/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 182
Date: Sat, 04 Sep 2010 22:40:01 GMT

It was redirect to index.xhtml:

GET /blog-war/ HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://localhost:8181/blog-war/ssl/login.xhtml
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

Response:

HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Location: http://localhost:8080/blog-war/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 181
Date: Sat, 04 Sep 2010 22:40:01 GMT

Again redirect because I have filter that switch to https-http and vice versa (I wanted only login.xhtml in https):

GET /blog-war/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

Response:

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Content-Type: text/html;charset=UTF-8
Content-Length: 4002
Date: Sat, 04 Sep 2010 22:40:02 GMT

Now I'm logged in sucessfully, Logout link is rendered means backing bean isLoggedIn returns true. Now I click Logout which invokes session.invalidate() in logout() method in backing bean:

POST /blog-war/index.xhtml HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/blog-war/
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

Response:

HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: http://localhost:8080/blog-war/ssl/login.xhtml
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 196
Date: Sat, 04 Sep 2010 22:48:34 GMT

Redirect to login page logout returns String "/ssl/login?faces-redirect=true" so we go there:

GET /blog-war/ssl/login.xhtml HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/blog-war/
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

Response:

HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Location: https://localhost:8181/blog-war/ssl/login.xhtml
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 197
Date: Sat, 04 Sep 2010 22:48:34 GMT

Another redirect, login page should be in https (filter is working :)):

GET /blog-war/ssl/login.xhtml HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: http://localhost:8080/blog-war/
Cookie: JSESSIONID=edccb9f9a1c5fc77dbd7fc86f55b

Response:

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=eefdcda45337b9c897de2a0e95e3; Path=/blog-war; Secure
Content-Type: text/html;charset=UTF-8
Content-Length: 1256
Date: Sat, 04 Sep 2010 22:48:35 GMT

So this was normal flow of events. Now abnormal:) I'm already at login page so I retype username/password and click Login:

POST /blog-war/ssl/j_security_check HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://localhost:8181/blog-war/ssl/login.xhtml
Cookie: JSESSIONID=eefdcda45337b9c897de2a0e95e3

Response:

HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Location: https://localhost:8181/blog-war/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 182
Date: Sat, 04 Sep 2010 22:55:46 GMT

Redirect to index:

GET /blog-war/ HTTP/1.1
Host: localhost:8181
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: https://localhost:8181/blog-war/ssl/login.xhtml
Cookie: JSESSIONID=eefdcda45337b9c897de2a0e95e3

Response:

HTTP/1.1 302 Moved Temporarily
X-Powered-By: Servlet/3.0
Server: GlassFish Server Open Source Edition 3.0.1
Pragma: No-cache
Cache-Control: no-cache
Expires: Thu, 01 Jan 1970 01:00:00 CET
Location: http://localhost:8080/blog-war/
Content-Type: text/html;charset=ISO-8859-1
Content-Language: en-GB
Content-Length: 181
Date: Sat, 04 Sep 2010 22:55:47 GMT

Again filter redirects to http for index.xhtml:

GET /blog-war/ HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; pl; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive

Response:

HTTP/1.1 200 OK
X-Powered-By: Servlet/3.0, JSF/2.0
Server: GlassFish Server Open Source Edition 3.0.1
Cache-Control: no-cache, no-store, must-revalidate
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: JSESSIONID=ef675cbb9747063c235fdb44137e; Path=/blog-war
Content-Type: text/html;charset=UTF-8
Content-Length: 3410
Date: Sat, 04 Sep 2010 22:55:48 GMT

At this point Logout link is not rendered, means we are not logged in? In response there is set-cookie so does it mean server logged me out? After going again to login page it starts all over from the top. I can also insert server logs which differs a little bit from normal login and abnormal login scenario. Also about Expires in response, why it's January 1970? I'm really confused.

A: 

Since you shouldn't be able to access restriced pages without being logged in when using container managed security, I strongly suspect that the isLoggedIn() method incorrectly returned false which made it look like that you're not logged in. The method should at least look like this:

public boolean isLoggedIn() {
    return FacesContext.getCurrentInstance()
        .getExternalContext().getUserPrincipal() != null;
}

Update: right, when a cookie is been created in HTTPS context (i.e. has the Secure flag), then the cookie get lost when switching from HTTPS to HTTP. However if the cookie is been created in HTTP context (i.e. has no Secure flag), then the cookie will remain available in both HTTP and HTTPS contexts. This is as per the RFC 2965 cookie spec (check the description for the Secure flag).

Apart from using HttpServletRequest#logout(), another solution would be to create the cookie immediately during the redirect after logout instead of creating it only when the login page is been requested over HTTPS. You can implicitly create a new cookie by just requesting the HttpSession

BalusC  2010-09-04 19:02:58
I have updated my question with isLoggedIn implementation. BTW hello again:)
l245c4l  2010-09-04 19:05:22
Well, although a bit overcomplicated, your `isLoggedIn()` looks fine. What servletcontainer are you using? What happens when you press F5 after login which displays that you're not logged in? What does the request/response headers say? I at least haven't seen this problem before and it's hard to try replicating the same problem without more detail about the configs/environment.
BalusC  2010-09-04 19:19:32
F5 does't help. I'm using glassfish v3. It throws some exception: INFO: JACC Policy Provider: Failed Permission Check, context(blog/blog-war_war)- permission((javax.security.jacc.WebUserDataPermission /ssl/login.xhtml GET))FINEST: JACC Policy Provider: PolicyWrapper.getPermissions(d), context (blog/blog-war_war) permissions: java.security.Permissions@1ef29515 (... And I think it's because I have specified security-constraint SSL Area in web.xml for /ssl/* (login page is under /ssl/login.xhtml) and I have no <auth-constraint> but I have <user-data-constraint> CONFIDENTIAL.
l245c4l  2010-09-04 19:40:25
I can paste logs if you want. And how to check those headers? Just print it out?
l245c4l  2010-09-04 19:44:06
You can check headers using FireBug or Fiddler. Watch for differences in how session cookie and authentication headers are been set/sent.
BalusC  2010-09-04 21:25:04
I have updated question again with full conversation flow.
l245c4l  2010-09-04 23:10:10
I really want to understand how things works. When I redirect to login page after logout it creates cookie 'too late' when I'm already in ssl channel. Then when I relogin what is actually happening behind the scenes. From logs I see that server logs me in but then I redirect to http and server logs me out? When server decide to send me new cookie and when sending does it logs me out. Or I'm still logged in but browser uses cookie with different id so server recognizes me as another user? I just wonder what server is doing:)
l245c4l  2010-09-05 09:11:47
A: 

If you're using session.invalidate(), the correct test for isLoggedIn() is userPrincipal() != null && session.isRequestedSessionValid(). Otherwise the page straight after the logout will show you still as logged in.

You shouldn't be redirecting to the login page yourself. CMA should do that for you. Just redirect to a page that requires a login.

EJP  2010-09-05 05:38:03

related questions

Java Time Zone is messed up
Eclipse on win64
Automate builds for Java RCP for deployment with JNLP
Why are professors or schools picking Java over C++ to teach to students?
Is there a real benefit of using J#?
Public/Popular Websites using JavaServer Faces
Why can't I use a try block around my super() call?
Accessing post variables using Java Servlets
Personal Linux web server
Is this really widening vs autoboxing?
How can I Java webstart multiple, dependent, native libraries?
Why can't I call toString() on a Java primitive?
How do I use Java to read from a file that is actively being written?
What code analysis tools do you use for your Java projects?
IllegalArgumentException or NullPointerException for a null parameter?
How do I configure and communicate with a serial port?
What is the best way to parse strings in Java
Getting started with a custom JXTA PeerGroup
Creating a custom button in Java
How to get started "writing" a code coverage tool?
Which Build-/Configuration Management Tool?
What is the difference between an int and an Integer in Java/C#?
What is the meaning of the type safety warning in certain Java generics casts?
How would you access Object properties from within an object method?
Converting CSV File to XML in Java