I found this article of yours very helpful. However when I try to implement the same, I am getting “session expired” message when user tries to log in for the first time into the application. After logging in, once the session expires, I am getting the session expired message as desired. Is there anything I need to do to see “session expired” message not appear when user logs into application.

Thanks.

Sorry for my delay.

The session expired event is fired after the context is reconstructed (it actually checks for the new session and is *not* fired when the session is destroyed). Thus, your CustomAuthenticator is part of the new session ensuring the message is available. Flushing the messages after the INVOKE_APPLICATION phase will only work if the INVOKE_APPLICATION phase is executed (which may be your issue). What you can do is configure an <action> in your pages.xml configuration for the login page which executes your flush. By the time the action executes the FacesMessages component is available from the context.

The best approach is using the patch submitted for JBSEAM-2257 as it avoids issues with the context not being available. The session expiration check is performed *after* the context has been initialized ensuring that the FacesMessages component is available when the event is fired. This is scheduled for inclusion in 2.1.0.GA.

Hope that helps.

Jacob

I am following your method. However, I could not make it work on the flushMessages() part. Because the HttpSession has expired, and CustomAuthenticator is a SESSION scope bean, when it’s the time FacesMessages is available, CustomAuthenticator is already re-constructed and this.messages is already gone.

Please explain how you do “The flushMessages method should be invoked either by an action on your pages.xml or by flushing after the INVOKE_APPLICATION phase (this is up to your preference).” Especially how to do it by an action on your pages.xml.

I invoke flushMessages() by

@Observer("org.jboss.seam.afterPhase")
public void flushMessages(PhaseEvent event) {
PhaseId id = event.getPhaseId();
if(id == PhaseId.INVOKE_APPLICATION){
for(FacesMessage message : this.faceMessages){
FacesMessages.instance().add(message);
}
faceMessages.clear();
}
}


Thank you very much.

You do not have to modify the seam source. It simply means that you have to keep in mind that the notification only works for general cookie settings as described in the next paragraph, i.e. cookies expire when the browser session is ended (browser is closed).

If the cookie is set to never expire or expiration occurs at some future date, the security.sessionExpired event will be triggered any time the session expires (regardless of whether the browser is closed and then reopened). Hope that clarifies your question.

your post is really helpful. I want to clarify one point.. Can you please elaborate what you mean by.. “you can basically notify the user when the server session has ended by adding the following to a PhaseListener”. Does this mean we need to modify seam source?

Sorry that I cannot make it work with the new org.jboss.seam.loggedOut event. So I followed your approach to make a third page in between. I used my home page, which does not require login, and clear the messages list there. In this way, I don’t need to redirect to the login page.

Thank you very much for all your help and have a nice day!

Best regards,
Sheng

Thanks a lot for the tutorial and it is great. However, the meta refresh solution is not very desirable to us because our application cannot redirect to another page without user’s explicit request.

I am in the middle of upgrading from Seam beta to 2.0.0.GA, so I will try the new org.jboss.seam.loggedOut event as you suggested. I will let you know the result.

Have a nice day!

Best regards,
Sheng