I have a JSF app with a div on the left that displays the user name of logged in User on the main page.

I store the logged in users info in a sessionScoped managed bean.

I have couple of protected pages on the main page for which I use container managed JDBC realm.

If the user directly clicks on the links without logging in , container managed security kicks in and asks the user to Log in , which is fine.

Now if the user hits the back button , the browser displays the main page . Now how do I display the users name here as my managed bean has not been triggered.

Also the browser seems to cache the page and does request the page from the server. Can anyone shed some light please.

Thanks, Goutham

Disable browser caching of dynamic JSF pages. Create a filter which is mapped on *.xhtml and does the following job in doFilter() method:

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
    HttpServletRequest httpReq = (HttpServletRequest) request;
    HttpServletResponse httpRes = (HttpServletResponse) response;

    if (!httpReq.getRequestURI().startsWith(httpReq.getContextPath() + ResourceHandler.RESOURCE_IDENTIFIER)) { // Skip JSF resources (CSS/JS/Images/etc)
        httpRes.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
        httpRes.setHeader("Pragma", "no-cache"); // HTTP 1.0.
        httpRes.setDateHeader("Expires", 0); // Proxies.
    }

    chain.doFilter(request, response);
}

This way the browser is forced to send a full HTTP request instead of showing the page from the browser cache.

For displaying the user login name of container managed security I would by the way just use #{request.remoteUser} instead.

<h:outputText value="Welcome, #{request.remoteUser}!" rendered="#{not empty request.remoteUser}" />
<h:link value="Login" outcome="login" rendered="#{empty request.remoteUser}" />