[jboss-user] [Security & JAAS/JBoss] - basic authentication cached credential without invalidate se
ryandavid
do-not-reply at jboss.com
Thu Mar 27 12:03:35 EDT 2008
Hello to everybody,
I am using JBoss with basic authentication and I am seeing a strange behaviour.
At the front of JBoss I have a single sign-on system that unifies the login of the user but unfortunately it doesn't clear any session cookie when the user makes logout.
So with JBoss 4.0.2, I saw the following behaviour:
1. I authenticate myself as user1 and I see the page (of a web-app) with my data
2. I make logout (the session cookies are kept)
3. I authenticate myself as user2 and I see the page (of a web-app) with my data
4. I make logout (the session cookies are kept)
5. I authenticate myself again as user3 and I see the page (of a web-app) data of user2 !
It seems as JBoss at the second time keeps the previuos authentication because it sees some session cookie.
This behaviour doesn't appear with JBoss 3.2.3
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4139358#4139358
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4139358
More information about the jboss-user
mailing list