Develop Reference

JSF 2.3: Session expired vs ViewExpired problems

I am using JSF 2.3 (Mojarra), with PrimeFaces 7 on WildFly 17 and have a problem with (I suppose) an expired http ession, which I was not able to answer using the links below:
keep getting javax.faces.application.ViewExpiredException: viewId with jsf 2
JSF 2.3 Form Based Login and ViewExpiredException
To test my assumption I have put the following entry in my web.xml:
<session-config>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<session-timeout>1</session-timeout>
</session-config>
After deploying the application I opened two pages of it in different browsers:
The first page requires login that I performed successfully and then opened the page.
The second page requires a click on a link only (without login) and opens upon clicking this link.
Both pages use ViewScoped beans.
I wait a little more than one minute, when, according to the configuration above, the session should have expired.
1.) On the first page: when I click on the button below:
<p:commandButton icon="ui-icon-check" value="....." action="#{aveAngelBean.aveAngelegtOK}" update="#form" />
I only see that in the lower right corner a circle spins indicating that probably a JavaScript is executed, but nothing happens otherwise. I do not get any error in the console. When I click a second time on the button, nothing happens. Also, no code is executed on the server
2.) On the second page: when I click on the button below:
<p:commandButton icon = "ui-icon-check" value="#{msg['immobilien.ave.go.forward']}" action="#{persDatenBean.weiterUnterlagen}" update="#form">
<f:param name="validateOnWeiter" value="true"/>
</p:commandButton>
the #init method of the backing bean gets executed - meaning probably an attempt from the server to restore the view.
Then an error occurs, because the HTTP GET parameter, found in the URL of the link, which I initially invoked to get to this page:
?linkId=c91cc387-45f4-4c22-8829-4e3fd266c311_abd45a61-0e4e-4e7b-aa48-e9d858a5dbb9
is not being found.
My questions are:
1.) About the first page: How can I show the login-page instead of showing nothing?
2.) About the second page: How can I reload the page, when clicking the button, WITH the HTTP GET parameter that I used to initially invoke the page? Why is this parameter
?linkId=c91cc387-45f4-4c22-8829-4e3fd266c311_abd45a61-0e4e-4e7b-aa48-e9d858a5dbb9
somehow not considered at the time of pressing the button?
Below my web.xml:
<web-app xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
version="3.0">
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<context-param>
<param-name>primefaces.THEME</param-name>
<param-value>sapphire-#{guestPreferences.theme}</param-value>
</context-param>
<context-param>
<param-name>primefaces.FONT_AWESOME</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.FACELETS_LIBRARIES</param-name>
<param-value>/WEB-INF/primefaces-sapphire.taglib.xml</param-value>
</context-param>
<!-- #see http://jsfcorner.blogspot.co.at/2014/01/client-side-validation-example-of.html -->
<context-param>
<param-name>primefaces.CLIENT_SIDE_VALIDATION</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>primefaces.FONT_AWESOME</param-name>
<param-value>true</param-value>
</context-param>
<listener>
<listener-class>com.sun.faces.config.ConfigureListener</listener-class>
</listener>
<filter>
<filter-name>Character Encoding Filter</filter-name>
<filter-class>org.primefaces.sapphire.filter.CharacterEncodingFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Character Encoding Filter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<!-- JSF mapping -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>Job Repair Servlet</servlet-name>
<servlet-class>at.home.digest.web.ave.JobRepairServlet</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<servlet>
<servlet-name>InitServlet Servlet</servlet-name>
<servlet-class>at.home.digest.web.ave.InitServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet>
<servlet-name>Download Servlet</servlet-name>
<servlet-class>at.home.digest.web.DownloadServlet</servlet-class>
<load-on-startup>0</load-on-startup>
</servlet>
<!-- Map these files with JSF -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Job Repair Servlet</servlet-name>
<url-pattern>/ave/makler/admin/jobRep</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Download Servlet</servlet-name>
<url-pattern>/heimdi/ave/download</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Download Servlet</servlet-name>
<url-pattern>/ave/download</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources in /ave/makler/*</web-resource-name>
<description>All resources in /ave/makler/*</description>
<url-pattern>/ave/makler/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>makler</role-name>
<role-name>maklerChef</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>jBossJaasHeimdiRealm</realm-name>
<form-login-config>
<form-login-page>/login/login.jsf</form-login-page>
<form-error-page>/login/loginFailed.jsf</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>makler</role-name>
</security-role>
<security-role>
<role-name>maklerChef</role-name>
</security-role>
<security-role>
<role-name>kaufer</role-name>
</security-role>
<session-config>
<cookie-config>
<http-only>true</http-only> <!-- https://owasp.org/www-community/HttpOnly , #see also: https://www.cookiepro.com/knowledge/httponly-cookie/ -->
<!-- <secure>true</secure> --> <!-- https://owasp.org/www-community/controls/SecureCookieAttribute -->
</cookie-config>
<session-timeout>1</session-timeout>
</session-config>
<error-page>
<exception-type>javax.servlet.ServletException</exception-type>
<location>/error.faces</location>
</error-page>
<error-page>
<exception-type>javax.faces.FacesException</exception-type>
<location>/error.faces</location>
</error-page>
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/error.faces</location>
</error-page>
<!--
<error-page>
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
<location>/error.faces</location>
</error-page>
-->
</web-app>
Thank you

Just debug your Session issues with this SessionDebugListener...
import javax.servlet.http.HttpSessionEvent;
import javax.servlet.http.HttpSessionListener;
import lombok.extern.slf4j.Slf4j;
/**
* HttpSessionListener to monitor the creation and destruction of JSESSIONs.
*/
#Slf4j
public class SessionDebugListener implements HttpSessionListener {
#Override
public void sessionCreated(final HttpSessionEvent se) {
LOG.info("Session Created {}", se.getSession().getId());
}
#Override
public void sessionDestroyed(final HttpSessionEvent se) {
LOG.info("Session Destroyed {}", se.getSession().getId());
}
}
web.xml
<web-app ...>
<listener>
<listener-class>com.your.SessionDebugListener </listener-class>
</listener>
</web-app>
Here is a more advanced example: https://www.baeldung.com/httpsessionlistener_with_metrics

ViewExpiredException when accesing site via googlebot

On my JSF page (Primefaces) googlebot is causing ViewExpiredException when accessing site. It happens only on POST requests (invalid javax.faces.ViewState?).
I'm running on Wildfly 9.0.1.Final, Primefaces 5.3
My web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
version="3.1">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Production</param-value>
</context-param>
<context-param>
<param-name>javax.faces.PARTIAL_STATE_SAVING</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>server</param-value>
</context-param>
<context-param>
<param-name>javax.faces.DEFAULT_SUFFIX</param-name>
<param-value>.xhtml</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.resourceUpdateCheckPeriod</param-name>
<param-value>0</param-value>
</context-param>
<context-param>
<param-name>com.sun.faces.defaultResourceMaxAge</param-name>
<param-value>3628800000</param-value>
</context-param>
<context-param>
<param-name>primefaces.SUBMIT</param-name>
<param-value>partial</param-value>
</context-param>
<context-param>
<param-name>primefaces.THEME</param-name>
<param-value>bootstrap</param-value>
</context-param>
<context-param>
<param-name>primefaces.UPLOADER</param-name>
<param-value>native</param-value>
</context-param>
<context-param>
<param-name>org.primefaces.extensions.DELIVER_UNCOMPRESSED_RESOURCES</param-name>
<param-value>true</param-value>
</context-param>
<context-param>
<param-name>org.primefaces.extensions.WRAP_PRIME_FACES_RESOURCES</param-name>
<param-value>false</param-value>
</context-param>
<context-param>
<param-name>org.ocpsoft.rewrite.annotation.BASE_PACKAGES</param-name>
<param-value>pl.izen.carmen.rewrite</param-value>
</context-param>
<filter>
<filter-name>PrimeFaces FileUpload Filter</filter-name>
<filter-class>org.primefaces.webapp.filter.FileUploadFilter</filter-class>
<init-param>
<param-name>thresholdSize</param-name>
<param-value>51200</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>PrimeFaces FileUpload Filter</filter-name>
<servlet-name>Faces Servlet</servlet-name>
</filter-mapping>
<listener>
<listener-class>org.ocpsoft.rewrite.servlet.impl.RewriteServletRequestListener</listener-class>
</listener>
<listener>
<listener-class>org.ocpsoft.rewrite.servlet.impl.RewriteServletContextListener</listener-class>
</listener>
<filter>
<filter-name>OCPsoft Rewrite Filter</filter-name>
<filter-class>pl.izen.carmen.custom.servlet.IzenRewriteFilter</filter-class>
<async-supported>true</async-supported>
</filter>
<filter-mapping>
<filter-name>OCPsoft Rewrite Filter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>FORWARD</dispatcher>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ASYNC</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
<servlet>
<servlet-name>Public Images Servlet</servlet-name>
<servlet-class>pl.izen.carmen.servlets.images.PublicImagesServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Public Images Servlet</servlet-name>
<url-pattern>/public_images/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Product Images Servlet</servlet-name>
<servlet-class>pl.izen.carmen.servlets.images.ProductsImageServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>Product Images Servlet</servlet-name>
<url-pattern>/product/image/*</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>CKEditorUploadServlet</servlet-name>
<servlet-class>pl.izen.carmen.servlets.images.CKEditorUploadServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>CKEditorUploadServlet</servlet-name>
<url-pattern>/ckeditor/upload/uploadimage</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
<url-pattern>*.xhtml</url-pattern>
<url-pattern>*.html</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>PrimePushServlet</servlet-name>
<servlet-class>org.primefaces.push.PushServlet</servlet-class>
<init-param>
<param-name>org.atmosphere.cpr.broadcasterCacheClass</param-name>
<param-value>org.atmosphere.cache.UUIDBroadcasterCache</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.annotation.packages</param-name>
<param-value>org.primefaces.push</param-value>
</init-param>
<init-param>
<param-name>org.atmosphere.cpr.packages</param-name>
<param-value>pl.izen.push</param-value>
</init-param>
<load-on-startup>0</load-on-startup>
<async-supported>true</async-supported>
</servlet>
<servlet-mapping>
<servlet-name>PrimePushServlet</servlet-name>
<url-pattern>/primepush/*</url-pattern>
</servlet-mapping>
<!--
<servlet>
<servlet-name>RESTEasy JSAPI</servlet-name>
<servlet-class>org.jboss.resteasy.jsapi.JSAPIServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>RESTEasy JSAPI</servlet-name>
<url-pattern>/rest-js</url-pattern>
</servlet-mapping>
-->
<servlet-mapping>
<servlet-name>CeneoServlet</servlet-name>
<url-pattern>/ceneo/servlet/*</url-pattern>
</servlet-mapping>
<servlet>
<display-name>CeneoServlet</display-name>
<servlet-name>CeneoServlet</servlet-name>
<servlet-class>pl.izen.carmen.custom.integration.ceneo.CeneoServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>HeurekaServlet</servlet-name>
<url-pattern>/heureka/*</url-pattern>
</servlet-mapping>
<servlet>
<display-name>HeurekaServlet</display-name>
<servlet-name>HeurekaServlet</servlet-name>
<servlet-class>pl.izen.carmen.custom.integration.heureka.HeurekaServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>MerchantServlet</servlet-name>
<url-pattern>/merchant/servlet/*</url-pattern>
</servlet-mapping>
<servlet>
<display-name>MerchantServlet</display-name>
<servlet-name>MerchantServlet</servlet-name>
<servlet-class>pl.izen.carmen.custom.integration.google.GoogleMerchantServlet</servlet-class>
</servlet>
<servlet>
<servlet-name>SitemapXmlServlet</servlet-name>
<servlet-class>pl.izen.carmen.custom.servlet.SitemapXmlServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>SitemapXmlServlet</servlet-name>
<url-pattern>/sitemap.xml</url-pattern>
</servlet-mapping>
<servlet>
<servlet-name>RobotsTxtServlet</servlet-name>
<servlet-class>pl.izen.carmen.custom.servlet.RobotsTxtServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>RobotsTxtServlet</servlet-name>
<url-pattern>/robots.txt</url-pattern>
</servlet-mapping>
<welcome-file-list>
<welcome-file>start.xhtml</welcome-file>
</welcome-file-list>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<role-name>administrator</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/loginError.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-constraint>
<web-resource-collection>
<web-resource-name>CSS</web-resource-name>
<url-pattern>/javax.faces.resource/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>CSS</web-resource-name>
<url-pattern>/resources/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>SitemapXmlServlet</web-resource-name>
<url-pattern>/sitemap.xml</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>RobotsTxtServlet</web-resource-name>
<url-pattern>/robots.txt</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecured application frontend - object page</web-resource-name>
<description>Objects</description>
<url-pattern>/pages/seoObject.xhtml</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>login.xhtml</web-resource-name>
<description>Unprotect login.xhtml</description>
<url-pattern>/login.xhtml</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public resources</web-resource-name>
<description>All visible resources</description>
<url-pattern>*</url-pattern>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/pages/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/admin</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/index.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Public Images Servlet</web-resource-name>
<url-pattern>/public_images/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
</security-constraint>
<security-constraint>
<web-resource-collection>
<web-resource-name>Unsecured application frontend</web-resource-name>
<description>Start page</description>
<url-pattern>/start.xhtml</url-pattern>
</web-resource-collection>
</security-constraint>
<session-config>
<session-timeout>60</session-timeout>
<cookie-config>
<http-only>true</http-only>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
<error-page>
<error-code>500</error-code>
<location>/error/error_500.xhtml</location>
</error-page>
<error-page>
<error-code>408</error-code>
<location>/error/error_408.xhtml</location>
</error-page>
<error-page>
<error-code>403</error-code>
<location>/error/error_404.xhtml</location>
</error-page>
<error-page>
<error-code>404</error-code>
<location>/error/error_404.xhtml</location>
</error-page>
<error-page>
<exception-type>java.lang.Exception</exception-type>
<location>/error/error.xhtml</location>
</error-page>
<security-constraint>
<web-resource-collection>
<web-resource-name>secure</web-resource-name>
<url-pattern>/secure/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>administrator</role-name>
</auth-constraint>
</security-constraint>
<mime-mapping>
<extension>ico</extension>
<mime-type>image/x-icon</mime-type>
</mime-mapping>
</web-app>
Almost all components im using are #ViewScoped (CDI), I'm not using #ConversationScoped components.
As You can see in web.xml I'm also using rewrite-filter with primepush (both are working just fine).
Request that is causing error:
X-FORWARDED-FROM: 66.249.79.135
METHOD: POST
PARAM: viewUrl => some_product_name
PARAM: commands:j_idt55 => commands:j_idt55
PARAM: javax.faces.ViewState => 1802363348692608902:3687015195185271050
PARAM: width => 1024
PARAM: javax.faces.source => commands:j_idt55
PARAM: javax.faces.partial.ajax => true
PARAM: javax.faces.partial.execute => #all
PARAM: commands => commands
PARAM: height => 1024
Edit:
It's happenig mostly on one page which uses additional param (viewUrl) which decides what product will be shown. This is a GET param but googlebot uses POST method. On this page user can add product to cart or rate it, nothing else.
GET requests from crawlers (google too) are working fine.
Edit2:
I observed that I got same exception when doing POST navigation (faces-redirect=true) but when I changed com.sun.faces.numberOfLogicalViews to 100 exception is not being thrown anymore. Why JSF is constructing so many views?
Any help would be greatly appreciated.

After a long time I found the cause. Google bot is cachig site and from some time has possiblity of firing posts requests on cached sites. It seems it was firing primefaces remote commads with old JSF ViewId. And that was the issue.

ViewExpiredException immediately after logging

I read that it is a problem of expired session, but in my case it's impossible because the session was just opened when the exception is thrown: I get to login page, fill up form and submit. After that I get ViewExpiredException. What can I do to resolve the problem?
This is my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
<param-name>org.apache.myfaces.SERIALIZE_STATE_IN_SESSION</param-name>
<param-value>false</param-value>
<param-name>com.sun.faces.numberOfLogicalViews</param-name>
<param-value>100</param-value>
</context-param>
<listener>
<listener-class>org.apache.myfaces.webapp.StartupServletContextListener</listener-class>
</listener>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>pages/login.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>Admin</display-name>
<web-resource-collection>
<web-resource-name>Admin</web-resource-name>
<url-pattern>/pages/admin/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
</auth-constraint>
</security-constraint>
<security-constraint>
<display-name>User</display-name>
<web-resource-collection>
<web-resource-name>User</web-resource-name>
<url-pattern>/pages/user/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>admin</role-name>
</security-role>
<security-role>
<description/>
<role-name>user</role-name>
</security-role>
<login-config>
<auth-method>FORM</auth-method>
<form-login-config>
<form-login-page>/pages/login.xhtml</form-login-page>
<form-error-page>/pages/errorLogin.xhtml?faces-redirect=true</form-error-page>
</form-login-config>
</login-config>
<error-page>
<error-code>403</error-code>
<location>/pages/errorLogin.xhtml</location>
</error-page>
<error-page>
<error-code>500</error-code>
<location>/pages/sessionExpired.xhtml</location>
</error-page>
<error-page>
<exception-type>javax.faces.application.ViewExpiredException</exception-type>
<location>/pages/sessionExpired.xhtml</location>
</error-page>

Try to use the STATE_SAVING_METHOD to client in your web.xml.
<context-param>
<param-name>javax.faces.STATE_SAVING_METHOD</param-name>
<param-value>client</param-value>
</context-param>
If you want to stick with the server mode try to increase your views:
<context-param>
<param-name>org.apache.myfaces.NUMBER_OF_VIEWS_IN_SESSION</param-name>
<param-value>40</param-value>
<description>Only applicable if state saving method is "server" (= default).
Defines the amount (default = 20) of the latest views are stored in session.
</description>
</context-param>

Directory not secured unless refreshed JSF

I have implemented a JAAS form based security for my site, and it is suppose to protect all the .xhtml files inside a folder named "secured" but it does not until that page is refreshed.
On first visit the url does not name the file either and just shows"faces/catalog.xhtml" that was the previous unprotected page then if i hit refresh it works then.
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd">
<context-param>
<param-name>javax.faces.FACELETS_LIBRARIES</param-name>
<param-value>/WEB-INF/bookstore.taglib.xml</param-value>
</context-param>
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<session-config>
<session-timeout>
30
</session-timeout>
</session-config>
<welcome-file-list>
<welcome-file>faces/catalog.xhtml</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>customer</web-resource-name>
<description/>
<url-pattern>/faces/secured/checkout.xhtml</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>myjdbc</realm-name>
<form-login-config>
<form-login-page>/login.xhtml</form-login-page>
<form-error-page>/login_error.xhtml</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>customer</role-name>
</security-role>
oh also calling the secured page like this:
public String buy() {
if (getNumberOfItems() < 1) {
message(null, "CartEmpty");
return (null);
} else {
return ("/secured/checkout");
}
}
Trying to figure this out for some time now, thanks for the help.

Remove faces servlet url pattern and page extension from url

i have a command link in my page which looks like:
<h:commandLink value="Add user" action="add?faces-redirect=true" />
and when i click it, it goes to url:
http://localhost:8080/myapp/faces/add.xhtml
but i want the url to be:
http://localhost:8080/myapp/add
how to do that ?
i am using spring 3, jsf 2
this is my web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:web="http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>myapp</display-name>
<!-- Add Support for Spring -->
<listener>
<listener-class>
org.springframework.web.context.ContextLoaderListener
</listener-class>
</listener>
<listener>
<listener-class>
org.springframework.web.context.request.RequestContextListener
</listener-class>
</listener>
<!-- Change to "Production" when you are ready to deploy -->
<context-param>
<param-name>javax.faces.PROJECT_STAGE</param-name>
<param-value>Development</param-value>
</context-param>
<!-- Welcome page -->
<welcome-file-list>
<welcome-file>faces/users.xhtml</welcome-file>
</welcome-file-list>
<!-- JSF mapping -->
<servlet>
<servlet-name>Faces Servlet</servlet-name>
<servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<!-- Map these files with JSF -->
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>/faces/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.jsf</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.faces</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>Faces Servlet</servlet-name>
<url-pattern>*.xhtml</url-pattern>
</servlet-mapping>
</web-app>

You can use PrettyFaces for it.