My jsp page is showing the last view after writing the URL directly

I'm using JSF 1.2 for developing a small page that requires the user to login. User may have one of three roles, and I should validate if a given user has access to a page given his role.

Let's say an admin is the only one that can access the Transactions Report. In the ViewTransactionReportBean default constructor I'm validating this:

HttpSession session = (HttpSession)FacesContext.getCurrentInstance().getExternalContext().getSession(false);
    LoginBean lb = null;
    try {
        lb = (LoginBean)session.getAttribute("loginBean");
        char role = lb.getRole();
        if(role!='A') 
            //Throw an exception to invalidate access
    }//catch here both invalid user or null pointer (not logged in) exceptions

This bean is request scope, so it should load with every Http request I make right?

Let's test this scenario: I login as an admin. I click on the View Transaction Report page. I can see the report. I click Home. I click Log out (with logic):

public String logOut() {session.invalidate(); return "success";}

After I logout (and I'm back to login page), I directly access ../faces/viewTransactionReport.jsp by entering the URL in my browser. Instead of showing an error message, I get to see the whole report, in exactly the last state I left it before I clicked Home (before logout). It is until I refresh the page (F5) that I get the error message saying that I'm not logged in or I don't have permissions.

After I tried debugging, when I entered the URL directly in my browser, I noticed that not even the bean constructor was called.

But I have no idea why.

Answers


I noticed that not even the bean constructor was called.

The page is apparently being requested from browser cache instead of straight from the server. Performing a hard reload (Ctrl+F5) should let the browser to actually send a HTTP request to the server. You can track this in browser's builtin HTTP traffic monitor (press F12 in Chrome/Firefox>=23/IE>=9).

You should actually be instructing your browser to not cache restricted pages. You can achieve that by creating a simple servlet filter with the following logic in doFilter() method:

@Override
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {
    HttpServletResponse response = (HttpServletResponse) res;
    response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
    response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
    response.setDateHeader("Expires", 0); // Proxies.
    chain.doFilter(req, res);
}

If you map this filter on the an URL pattern covering restricted pages (perhaps the entire /faces/*?) then it should solve the problem for you:

<filter>
    <filter-name>noCacheFilter</filter-name>
    <filter-class>com.example.NoCacheFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>noCacheFilter</filter-name>
    <url-pattern>/faces/*</url-pattern>
</filter-mapping>

Need Your Help

os.path.abspath('file1.txt') doesn't return the correct path

python path

Say the path of the file 'file1.txt' is /home/bentley4/Desktop/sc/file1.txt