Home/ Questions/Q 8869649
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-14T17:31:47+00:00

I have created webapplication using JSF 2.0 where I want to restrict user to

  • 0

I have created webapplication using JSF 2.0 where I want to restrict user to go back after logout.

For solution I looked at Great BalusC answer and tried something else, however it is not working.

What I tried is as below.

<h:commandLink value="logout" action="#{bean.makeMeLogut()}" />

in bean I have 

public void makeMeLogut() {
    try {
        // get response from JSF itself instead of coming from filter.
        FacesContext.getCurrentInstance().getExternalContext().getSessionMap().put("isLoggedIn", "false");
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
        HttpServletResponse hsr = (HttpServletResponse) FacesContext.getCurrentInstance().getExternalContext().getResponse();
        hsr.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        hsr.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        hsr.setDateHeader("Expires", 0); // Proxies.
        FacesContext.getCurrentInstance().getExternalContext().redirect("index.xhtml");
    } catch (IOException ex) {
        System.out.println("can't logut...");
    }
}

As per BalusC answer, I need to create filter, however I thought to use JSF response and set header into it. However it is not working.

Any idea where I am going wrong?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’re not setting those headers on the response of the restricted page itself, but you’re only setting those headers on the response of the logout action. So the restriced page itself is still in the browser cache, only the logout action is not in the browser cache. However, the back button does not go to the logout action, it goes to the restricted page (which is thus still served up from the browser cache).

    You really need a filter on all requests to those restriced pages, exactly as outlined in the answer you found.

    See also:

    Unrelated to the concrete problem, manipulating the session map right before invalidate makes no sense. The session invalidation would implicitly already clear out the entire map (as it basically refers to the attributes of the session). Just remove the line wherein you manpulate the session map.

    Also the catch on IOException which does only a stdout is extremely poor. Remove the whole try-catch and add throws IOException to the method. The container will handle it with an error page.

    • 0