users@glassfish.java.net

Problem with direct access to login form

From: <glassfish_at_javadesktop.org>
Date: Wed, 05 Nov 2008 19:46:11 PST

I'm working on glassfish-v2ur2, using FORM_AUTH with a custom realm for my JSF application. Consider following pages in the application:

/index.jsp (simple welcome file not protected)
/Login.jsp (login page)
/manage/ManageAccount.jsp (some protected resource)

If users act like this:

1. request /Login.jsp directly,submit login form with correct username/password
2. authenticated, redirect to the context root, /index.jsp
3. request /manage/ManageAccount.jsp
4. not authorized, redirect to /Login.jsp
5. just click the browser's "Back" button, go back to /index.jsp
6. request /manage/ManageAccount.jsp again, succeed

How could this happen?

I read some source code around FormAuthenticator. It seems the server uses some kind of session cache for saving user principles between requests around authentication. Is there any possibility that the above problem comes from this mechanism, or is it just some bug existed in my application?

Thanks for any reply.

Stephen
[Message sent by forum member 'stephensuen' (stephensuen)]

http://forums.java.net/jive/thread.jspa?messageID=315166