登录后的JSF刷新页面返回登录页面

Question

我在JSF应用程序中使用容器管理的安全性。我能够成功登录并进入我的保护区。如果我点击浏览器刷新，我会回到我的登录页面。根据我的推断，由于某种原因，经过身份验证的会话正在丢失，导致我被重定向到登录页面。

所以为了确保你理解我的问题： 1）前往保护区，显示登录页面 2）输入凭据并单击登录 3）提供经过身份验证和保护的jsf页面 4）点击刷新，登录页面显示。

我记录了请求会话ID，他们正在改变。

web.xml（相关部分）

172.XXX.XXX.XXX

身份验证

<servlet>
    <servlet-name>Faces Servlet</servlet-name>
    <servlet-class>javax.faces.webapp.FacesServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>Faces Servlet</servlet-name>
    <url-pattern>*.xhtml</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>javax.ws.rs.core.Application</servlet-name>
    <url-pattern>/mappings/service/*</url-pattern>
</servlet-mapping>

<security-constraint>
    <display-name>IESI Security Constraint</display-name>
    <web-resource-collection>
        <web-resource-name>Protected Area</web-resource-name>
        <url-pattern>/mappings/*</url-pattern>
        <http-method>GET</http-method>
        <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
        <role-name>IESI</role-name>
    </auth-constraint>
</security-constraint>

<login-config>
    <auth-method>FORM</auth-method>
    <realm-name>ApplicationRealm</realm-name>
    <form-login-config>
        <form-login-page>/index.xhtml</form-login-page>
        <form-error-page>/logout.xhtml</form-error-page>
    </form-login-config>
</login-config>

<security-role>
    <role-name>IESI</role-name>
</security-role>

<session-config>
    <session-timeout>30</session-timeout>
    <tracking-mode>COOKIE</tracking-mode>
</session-config>

的PhaseListener

@ManagedBean
@SessionScoped
public class Authenticator
{
   private static final Logger LOGGER = LoggerFactory.getLogger(Authenticator.class);

   private String username;

   private String password;

   public String getUsername()
   {
      return username;
   }

   public void setUsername(String username)
   {
      this.username = username;
   }

   public String getPassword()
   {
      return password;
   }

   public void setPassword(String password)
   {
      this.password = password;
   }

   public String login()
   {
      final FacesContext context = FacesContext.getCurrentInstance();
      final HttpServletRequest request = (HttpServletRequest) context.getExternalContext().getRequest();

      try
      {
         final Principal userPrincipal = request.getUserPrincipal();
         if (userPrincipal != null)
         {
            request.logout();
         }
         request.login(username, password);
         context.getExternalContext().getSessionMap().put("user", request.getUserPrincipal());

         final Principal principal = request.getUserPrincipal();  
         LOGGER.debug("Authenticated user: " + principal.getName());

         if(request.isUserInRole("IESI"))
         {  
              return "/mappings/mappings.xhtml?faces-redirect=true";  
         }
         else
         {  
              return "login";  
         } 
      }
      catch (final ServletException e)
      {
         context.addMessage(null, new FacesMessage(FacesMessage.SEVERITY_WARN, "Login failed!", null));
         return "login";
      }
   }

   public String logout()
   {
      FacesContext.getCurrentInstance().getExternalContext().invalidateSession();
      return "login";
   }