I have a JSF based web application and I need to handle session timeouts. I know how to do a Filter and I can detect the session is invalid and redirect to a timeout page.
The problem that I am having is when the timeout occurs on a authentication context protected JSF page. The scenario is that the browser is showing the protected page and as such the user has already logged in to get here. The user just sits idle and the session times out. The user really does not have a clue that this has happened, so at some later time, the user attempts to interact with the page. Since there is no session, the container managed authentication immediately kicks in and presents the authentication form. The user fills out the form and is authenticated and then the container forwards to the original URL, in this case my JSF page. The JSF view state for the page has been lost when the session timed out and the view handler throws a ViewExpiredException which ends up bringing up one of the error pages with a stack traceback.
The problem that I am having in my filter is that when the container managed authentication presents that authentication form. This also creates a session. So in my filter, I cannot detect that this session is invalid or no good since from all of the tests that I can find, the session looks valid. Thus I have no way of knowing in this case to redirect to some stable page.
Right now I am actually catching ServletException's in my filter, looking at the root cause to see if it is a ViewExpiredException and then forwarding based upon this.
The question is, is this the right way or is there a better way?
I've search for an answer, but have not see anyone present a solution that works with container managed authentication.
Thanks in advance for any information that can be provided.
Brett
[Message sent by forum member 'bbergquist' (bbergquist)]
http://forums.java.net/jive/thread.jspa?messageID=350483