[jboss-jira] [JBoss JIRA] Closed: (JBAS-4747) WebAuthentication programmatic login prevents the user from ever logging out
Matt Cristantello (JIRA)
jira-events at lists.jboss.org
Mon Oct 1 15:39:41 EDT 2007
[ http://jira.jboss.com/jira/browse/JBAS-4747?page=all ]
Matt Cristantello closed JBAS-4747.
-----------------------------------
Resolution: Cannot Reproduce Bug
I can't duplicate this anymore, it must have been an issue with some weird cookies being set in my browser.
Sorry,
~Matt
> WebAuthentication programmatic login prevents the user from ever logging out
> ----------------------------------------------------------------------------
>
> Key: JBAS-4747
> URL: http://jira.jboss.com/jira/browse/JBAS-4747
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Security
> Affects Versions: JBossAS-4.2.1.GA
> Environment: CentOS 3, JDK 1.5.0_12, JBoss Portal 2.6.1.GA with JBoss AS 4.2.1.GA, set up in ClusteredSingleSignOn mode
> Reporter: Matt Cristantello
> Assigned To: Scott M Stark
>
> When using the WebAuthentication login(String,String) method, it is not possible to log out even if the logoff() method of the WebAuthentication is called.
> Code:
> auto_login.jsp
> <%@page import="org.jboss.web.tomcat.security.login.WebAuthentication"%>
> <%
> WebAuthentication pwl = new WebAuthentication();
> pwl.login("user", "user");
>
> response.sendRedirect("test.jsp");
> %>
> logout.jsp
> <%@page import="org.jboss.web.tomcat.security.login.WebAuthentication"%>
> <%
> WebAuthentication pwl = new WebAuthentication();
> pwl.logout();
> %>
> <p>Successfully logged out</p>
> test.jsp
> <html>
> <head>
> <title>Test Page</title>
> </head>
> <body>
> <p>Username: <%=request.getRemoteUser() %></p>
> <p><a href="logout.jsp">Log Out</a></p>
> </body>
> </html>
> web.xml
> <?xml version="1.0" encoding="UTF-8"?>
> <web-app id="WebApp_ID" version="2.4"
> xmlns="http://java.sun.com/xml/ns/j2ee"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
> <display-name>test</display-name>
> <welcome-file-list>
> <welcome-file>index.html</welcome-file>
> <welcome-file>index.htm</welcome-file>
> <welcome-file>index.jsp</welcome-file>
> <welcome-file>default.html</welcome-file>
> <welcome-file>default.htm</welcome-file>
> <welcome-file>default.jsp</welcome-file>
> </welcome-file-list>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>test</web-resource-name>
> <url-pattern>/test.jsp</url-pattern>
> <http-method>POST</http-method>
> <http-method>GET</http-method>
> </web-resource-collection>
> <auth-constraint>
> <description>Authentication required</description>
> <role-name>Authenticated</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>FORM</auth-method>
> <realm-name>JBoss Portal</realm-name>
> <form-login-config>
> <form-login-page>/login.jsp</form-login-page>
> <form-error-page>/error.jsp</form-error-page>
> </form-login-config>
> </login-config>
> <security-role>
> <role-name>Authenticated</role-name>
> </security-role>
> </web-app>
> jboss-web.xml
> <?xml version="1.0"?>
> <!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD J2EE Application 1.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-app_4_0.dtd">
> <jboss-web>
> <security-domain>java:jaas/portal</security-domain>
> </jboss-web>
> Steps:
> 1. Log in by navigating to auto_login.jsp
> 2. Click the log out link, or otherwise navigate to the logout.jsp page.
> 3. Navigate back to the test.jsp page.
> You will still be logged in.
> This problem also occurs with the JBoss Portal 2.6.1, where I am automatically logged into the JBoss portal after running auto_login.jsp, but I cannot log out of the Portal using its logout button or the logout.jsp provided as an example above.
> I am not seeing any entries in my server.log files when the logout methods are called, even with debug messages being logged.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list