Home/ Questions/Q 6346911
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T21:06:33+00:00

I’m using form based authentication. I have a logout link which looks like: <h:commandLink

  • 0

I’m using form based authentication.

I have a logout link which looks like:

<h:commandLink action="#{loginBean.logout}">
    <h:outputText value="logout" />
</h:commandLink></div>

And the corresponding logout method:

public String logout() {
    FacesContext.getCurrentInstance().getExternalContext().invalidateSession();

    return "/view/index?faces-redirect=true"; // Redirect added as per BalusC's suggestion.
}

After hitting the logout link I’m returned to the front page, but seemingly without CSS. When I hit a button to run a search I get the following error:

javax.faces.application.ViewExpiredException: viewId:/view/index.jsf - View /view/index.jsf could not be restored.

And yet the CSS is actually under /resources which shouldn’t require authentication as I understand my web.xml:

    <security-constraint>
    <web-resource-collection>
        <web-resource-name>fizio</web-resource-name>
        <url-pattern>/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
</security-constraint>

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Unprotected area</web-resource-name>
        <url-pattern>/resources/*</url-pattern>
    </web-resource-collection>
</security-constraint>

From this state I seem to be able to login again and see some data between occasional view-could-not-be-restored errors, but no CSS. It’s all a bit broken really. Any suggestions would be appreciated.

ETA: Login form:

<form method="POST" action="j_security_check">
    <label for="j_password">Username:</label> <input type="text" name="j_username" />
    <br />
    <label for="j_password">Password:</label> <input type="password" name="j_password" /> <input type="submit" value="Login" />
</form>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You need to redirect after invalidate. Otherwise the page is been shown in midst of the “invalidated” session. Add faces-redirect=true to the outcome to trigger the redirect.

    public String logout() {
    FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
    return "/index?faces-redirect=true";
}

    The redirect will cause the webbrowser to fire a new GET request after the POST response and in turn cause the server to create a brand new session. This way the views will work as intended.

    As to the CSS resources, they apparently still need a login. The “Unprotected area” constraint which you have there is not going to work. Remove it and change the URL-pattern of your main security constraint to for example /app/* or whatever a common path of the secured area is.

    • 0