I am working on a web application running on Glassfish 4. I use simple form-based login (j_security_check). I have a JSF page through which the user can manipulate with data stored in a database. This page is backed by a view-scoped bean and I pass the ID of the selected object to this bean as a GET-request parameter. There is a method which is called before the view is rendered (preRenderView event):
public void initializeData() throws ItemNotFoundException {
if (objectId == 0) {
throw new ItemNotFoundException("Invalid ID: 0");
} else if (objectId > 0) {
// Find object with the specified ID
test = getTestFacade().find(objectId);
if (test == null) {
throw new ItemNotFoundException(
"Item not found (ID: " + objectId + ")");
}
}
// ...
}As you can see, ItemNotFoundException is thrown when the requested object is not found. I created a custom error page for this exception type. The page backed by the view-scoped bean is protected, the user must be logged in before accessing it.
Now, here is my problem: If I specify an invalid ID in the request URI and I am not yet logged in when I try to access the page, my login page is shown. After logging in with the correct username and password I see my custom error page, since the requested object was not found. But if after this I try to access another protected page, it seems like I am not authenticated, and I need to repeat the login procedure.
I think this behaviour is totally illogical and it is unacceptable in my case. I don't think I am doing something wrong, but I can't rule out this possibility. It would be nice to know if this is the expected behaviour. (I hope it isn't.) Also, I am wondering if this qualifies as a bug in Glassfish. And of course it would be great to find a solution or a workaround for this bug.