[SOLVED] Unwanted redirect to http://localhost:8080/login/j_security

Unwanted redirect to http://localhost:8080/login/j_security_check after logging in

When I log in, I am redirected to http://localhost:8080/login/j_security_check instead of the desired welcome page which is specified in the web.xml. This only happens if I log out before, if I log in from scratch it works like a charm.

<html xmlns="http://www.w3.org/1999/xhtml"      
      xmlns:h="http://xmlns.jcp.org/jsf/html"

      xmlns:p="http://primefaces.org/ui">
    <h:head>
        <h:outputStylesheet library="css" name="main.css"  />
        <title>Login</title>
    </h:head>
    <body>
        <div class="login_form">
            <h:form id="login" prependId="false" class="login_form"
                    onsubmit="document.getElementById('login').action = 'j_security_check';">
                <br/><br/>
                <p:graphicImage value="/resources/img/ggs_logo.png" styleClass="login_logo"/>
                <h1>Icosphere</h1> 
                <h1>Data Platform</h1>
                <p:inputText  id="j_username" size="20" />
                <br/>
                <p:password  id="j_password" size="20"/>
                <br/><br/>            
                <p:commandButton id="submit" value="Log in" ajax="false"/>

            </h:form>
        </div>
    </body>
</html>

Logout page

<html xmlns="http://www.w3.org/1999/xhtml"
      xmlns:p="http://primefaces.org/ui"
      xmlns:h="http://xmlns.jcp.org/jsf/html">
    <body>
        <div class="leftright">
            <span class="aligned">
                <h:form>
                    <p:commandButton ajax="false" action="#{logoutBean.logout()}"
                                     value="Logout!"/>  
                </h:form>          
            </span>
        </div>
    </body>
</html>

Logout Bean

@Named(value = "logoutBean")
@ApplicationScoped
public class LogoutBean {
    public String logout() throws ServletException {
        Principal userPrincipal = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal();
        FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
        return "/login/login.xhtml?faces-redirect=true'";
    }
}

Solution

Your LogoutBean needs to redirect to your "welcome" page, rather than the login form.

Standard web security displays the designated login form whenever the client requests a resource that is protected. When the user has authenticated the container returns the originally requested resource.

So, what is happening is you are deliberately trying to display the login form; but it is protected so the container redirects you to the same login form; the user authenticates and then returns the originally requested login form.

Therefore you never link to the login page directly. It will always be presented as soon as a protected resource is requested.