• Post Reply Bookmark Topic Watch Topic
  • New Topic

View Expired Exception  RSS feed

 
sonia pandit
Ranch Hand
Posts: 137
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I am using JSF for the login page. I am getting the following error:

ViewExpiredException. No saved state view could be found for the view.

How do I fix this problem?

Thanks,

Sonia
 
Moh Afifi
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
In the Jsf 1.2 specs, whenever the viewId which is used to restore the page view and is saved as a session variable on the server expires (due to session timeout on the server), and a page is requested with this viewId, a ViewExpiredException is raised.
I used a workaround to handle this and it worked fine with me. I have a phaseListener configured to listen to the RESTORE_VIEW phase.
and in the afterPhase function, i add the following lines of code:

the try/catch above is for the exception that me be raised from the redirect function.
you can do anything in this if condition.
hope this helps
 
Bart Kummel
author
Ranch Hand
Posts: 81
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Sonia,

You didn't tell what type of login you are using. Have you implemented a custom login solution? Or do you use standard JAAS security. JAAS and JSF do not play well together by default, unfortunately. In the last chapter of the Apache MyFaces 1.2 Web Application Development book, some best practices to get the combination of JAAS and JSF working are presented.

If you have implemented your own login solution, it might be that you are simply encountering a session time out, as Moh suggested. In that case, his work around might be a solution for you.

Best regards,
Bart
 
Tim Holloway
Bartender
Posts: 18662
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Bart, do you mean "JAAS" or "container-managed" security. They're 2 different things, although most J2EE servers support JAAS as one of the options for container-managed security realms.

It's not really that hard to use container-managed security in JSF, as long as you make allowances for the funny games that JSF URLs play. The "redirect" option is your friend there.

On the other hand, user-defined login/security frameworks have a pretty poor track record for both security and reliability, which is why I spend a lot of time discouraging their use. In fact, at the moment, one of my main projects has a DIY security system that I thought was one of the cleaner and more reliable ones. Until I discovered the loophole that would allow wholesale abuse of credit cards by relatively unsophisticated means.

The ViewExpiredException is one of the biggest warts on JSF. I put a filter in one of my apps that intercepts them, but it doesn't cover quite all the bases. JSF2 provides some extra hooks that will improve things, although the app in question hasn't been converted yet, so that option's out for the moment.
 
Bart Kummel
author
Ranch Hand
Posts: 81
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

I did mean "container managed security", as you guessed. I share your opinion on "home made" security systems. I realize my post might be read as a plea against container managed security, but it certainly isn't. It's just that I am surprised every time again that the security isn't integrated better into JSF. However, as I said, in my book are some best practices regarding container managed security and JSF, that help to get e good working solution.

Best regards,
Bart
 
Tim Holloway
Bartender
Posts: 18662
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One thing that surprised me about JSF was that it didn't have direct support for role-based security in the core tagset the way Struts does. It's obviously possible - Tomahawk does it.

However, failing that, it's fairly easy to code EL expressions that accomplish the same thing.

Of course, suppressing the GUI is only half the job. One of the recent exploits I ran into suppressed GUI for non-authorized people, but if you knew the URL, you could do all the damage you wanted to anyway. Including, potentially to system databases.

I'm kind of in favor of using AOP-style annotations to defend sensitive logic, but as far as I know, there's no present standard for that. Of course, that's actually something that (done well) would be applicable to more than just JSF, so an entirely independent JSR ought to cover that. Maybe one does, but I'm ignorant on that subject.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!