CUBA authentication by URL problem

I am trying to use the authentication by URL mechanism as described in the and I’ve noticed the following (I am using the first approach that is described in the sample application)

When any user -the first time- tries to login into the application using a url that includes an appropriate token, then everything is working as expected. Now, if the same user tries to connect from his browser changing the token in the url in order to login as a different user -he can use either the same open browser window or create a new tab), then it is logged in as the old user! It seems that the CUBA application ignores the new URL, using instead the available session. So, I would like to ask you if we could somehow invalidate the current session in the provided first sample to allow users login any time with the current URL token. If not, we could somehow create a logout link to the application? Although this type of link seems not be provided by the CUBA framework I’ve found some instructions on the Forum describing a way to make a similar operation but I’ve found all of the them very advanced - Is there an easy way or a ready-to-use sample code to bypass the aforementioned problem?

Thanks in advance


Since you have logged in the application from your browser, the link with navigation params will not work because CubaLoginScreenFilter will proceed without opening the Login screen. For the appropriate work, you need to log out, before handling the link with another token.

I can suggest you to use NavigationFilter (see documentation). It checks access for the given route and here we can process our navigation params.

In the filter, we should check that we are navigating to the login screen and then check the secret token and user.


public AccessCheckResult allowed(NavigationState fromState, NavigationState toState) {
    String loginWindowRoute = windowConfig.findRoute("loginWindow");
    if (Objects.equals(loginWindowRoute, toState.getRoot())) {

        // check if current connection is authenticated
        Connection connection = App.getInstance().getConnection();
        if (connection.isAuthenticated()) {

            // get secret token from params
            Map<String, String> params = toState.getParams();
            String st = params.get("st");

            User user = connection.getSessionNN().getUser();

            // if current user is auth, but ST does not correspond to the user do logout
            if (!isSecretTokenForUser(user, st)) {
    return AccessCheckResult.allowed();

I slightly changed demo: (89.2 KB)
Use the following links to check:

localhost:8080/app/#login?st=e63cacd4-646b-4232-bd72-36ddff780bbf // admin
localhost:8080/app/#login?st=93de5933-4aed-4ad7-bfac-97a0ec802352 // test