I was totally confused now. Consider following pages in one web application:
/index.jsp (simple welcome file not protected)
/Login.jsp (login page)
/manage/ManageAccount.jsp (some protected resource)
1. request /Login.jsp directly and submit login form
2. authenticated, redirect to the context root, /index.jsp
3. request /manage/ManageAccount.jsp
4. fail and redirect to /Login.jsp
5. click the browser's "Back" button, go back to /index.jsp
6. request /manage/ManageAccount.jsp again, succeed
How could this happen? I'm working on glassfish-v2ur2, using FORM_AUTH with a custom realm for my
JSF application.
I read some source code around FormAuthenticator. It seems the server uses some kind of session cache for saving user principles during authentication. Is there any possibility that the above problem comes from this mechanism, or is it just some bug existed in my application?
Thanks for any reply.
Stephen