0

I have got this JSF form in the file loginform.xhtml:

  <h:form>

        <h:panelGrid columns="3" styleClass="components" cellpadding="5px">
            <h:outputText value="#{msg['login.username']}"/>
            <h:inputText id="username" value="#{userManager.loginUser.username}" required="true"/>
            <h:message styleClass="error" for="username"/>
            <h:outputText value="#{msg['login.password']}"/>
            <h:inputSecret id="password" value="#{userManager.loginUser.password}" 
                           required="true"/>
            <h:message styleClass="error" for="password"/>
            <h:commandButton value="#{msg['login.confirm']}" 
                             action="#{userManager.doLogin}"/>

        </h:panelGrid>
    </h:form>

With this ManagedBean:

public class UserManager implements Serializable {

/**
 * Creates a new instance of UserManager
 */
public UserManager() {
}

private UserRecord loginUser = new UserRecord(); 
private UserRecord sessionUser;
@EJB
private UserRecordFacadeLocal userRecordFacade;

public UserRecord getLoginUser() {
    return loginUser;
}

public void setLoginUser(UserRecord loginUser) {
    this.loginUser = loginUser;
}

public UserRecord getSessionUser() {
    return sessionUser;
}

public void setSessionUser(UserRecord sessionUser) {
    this.sessionUser = sessionUser;
}



public String doLogout() {
    setSessionUser(null);
    return "logout";
}

public String doLogin() {
    if (userRecordFacade.authorizedAcces(loginUser.getUsername(), loginUser.getPassword())) {
        setSessionUser(loginUser);
        return "success";
    }
    return "failure";
}

}

Here is my question: if I type a GET request to loginform.xhtml (in my case: http://localhost:8080/Impetus-web/loginform.xhtml), the form is filled by the old values! Even more correct values - this is really bad for the security of the system :-). The same happens, if I make the navigation to this page via h:link tag. It works fine only in the case, if I jump to the page via POST request (via commandButton f. e.).

How is it possible?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Petr Dušek
  • 627
  • 4
  • 12
  • 26
  • 1
    Probably your `UserManager` bean's scope is incorrect. Is it session scoped? – Aritz Aug 29 '13 at 09:05
  • Yes, it is session scoped. I should be, shouldn't it? – Petr Dušek Aug 29 '13 at 09:20
  • If you make it `@SessionScoped` it lies on the current HTTP Session, which makes it dependent to [your current HTTP Session tracking metodology](http://stackoverflow.com/a/8901917/1199132). Just change it to `@ViewScoped` or `@RequestScoped` depending on if you want to keep view states or not. – Aritz Aug 29 '13 at 09:30
  • 1
    Could it be that the browser just stores those values, because you saved them? – noone Aug 29 '13 at 09:32
  • I have changed the scope, but the result is the same. As I said: it is crucial, how I jump to the form page. If I use a POST request (h:commandButton), it works as I wish. Otherwise (GET request) not. – Petr Dušek Aug 29 '13 at 09:36
  • Noone - this is possible. But how to say the browser to not to do it? – Petr Dušek Aug 29 '13 at 09:36
  • 1
    Just browser's issue? When you enter to the app you must select not to remember you current credentials... – Aritz Aug 29 '13 at 09:37
  • Ok. Thanks, guys and sorry for this question. But I still don't know, why is this happenning only by the GET request... – Petr Dušek Aug 29 '13 at 09:51

1 Answers1

0

JSF doesn't do that (as evidence, look in generated HTML output). The webbrowser does that. This feature is called "autofill"/"autocomplete". Just tell it to not do that by adding autocomplete="off" to the individual input components.

<h:inputText ... autocomplete="off" />
<h:inputSecret ... autocomplete="off" />

Or if you're on JSF 2.2 (or are using OmniFaces Html5RenderKit), you could also set it form-wide.

<h:form ... autocomplete="off">
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555