The problem is that the login page attempts to redirect back to the
originally requested page, however not all pages can be viewed from a
virgin HTTP session, as they must be properly initialized by their
respective controller methods. We need to detect this case and redirect
to the main page.
Follow-ups
Submitted By: Andrew Tolopko
Adddate: 2008-10-02 12:39:23
Started looking into this, and it's not as simple a problem I thought.
We need to be able to determine if any given Controller is being
accessed with a request that did not follow from a previous controller
method's invocation. Otherwise any other set of request params might be
inappropriate for the state of the backing bean(s) accessed by the new
page. Not sure how to handle this yet...
I feel like this is a fairly critical bug, so going to up to priority 1.
Submitted By: Andrew Tolopko
Adddate: 2008-10-02 12:39:23
A related issue: if the HTTP session has expired, and the user clicks on
"logout", the user is asked to login first, and is then logged out,
as
originally requested, causing another login screen to appear. This is
nuts!
Submitted By: Andrew Tolopko
Adddate: 2008-10-02 12:39:24
For logout issue, should probably create an explicit "you are logged
out" page, which is unprotected, and thus does not cause Tomcat to
invoke authentication page.
For issue of using invalid (old) pages, should be able to take advantage
of the jsf_sequence session attribute (a counter), in order to Do The
Right Thing when a link from an old page is accessed.
Submitted By: Andrew Tolopko
Adddate: 2008-10-02 12:39:24
minimally, we should at least redirect to main page when requested url
is invalid
Submitted By: Sean Erickson
Migrated issue:
The problem is that the login page attempts to redirect back to the originally requested page, however not all pages can be viewed from a virgin HTTP session, as they must be properly initialized by their respective controller methods. We need to detect this case and redirect to the main page.
Follow-ups Submitted By: Andrew Tolopko
Adddate: 2008-10-02 12:39:23 Started looking into this, and it's not as simple a problem I thought. We need to be able to determine if any given Controller is being accessed with a request that did not follow from a previous controller method's invocation. Otherwise any other set of request params might be inappropriate for the state of the backing bean(s) accessed by the new page. Not sure how to handle this yet...
I feel like this is a fairly critical bug, so going to up to priority 1. Submitted By: Andrew Tolopko
Adddate: 2008-10-02 12:39:23 A related issue: if the HTTP session has expired, and the user clicks on "logout", the user is asked to login first, and is then logged out, as originally requested, causing another login screen to appear. This is nuts! Submitted By: Andrew Tolopko
Adddate: 2008-10-02 12:39:24 For logout issue, should probably create an explicit "you are logged out" page, which is unprotected, and thus does not cause Tomcat to invoke authentication page.
For issue of using invalid (old) pages, should be able to take advantage of the jsf_sequence session attribute (a counter), in order to Do The Right Thing when a link from an old page is accessed. Submitted By: Andrew Tolopko
Adddate: 2008-10-02 12:39:24 minimally, we should at least redirect to main page when requested url is invalid Submitted By: Sean Erickson
Adddate: 2009-01-12 11:10:31 When user - persistent options are implemented this should become a priority 2 ticket. from http://forge.abcd.harvard.edu/gf/project/screensaver/tracker/?action=TrackerItemEdit&tracker_item_id=1171&start=75