Okay I've put together a quickstart app, but I'm still confused about something.
If a method of a managed bean invokes HttpServletRequest#logout and HttpSession#invalidate and attempts to invoke a method on a secure EJB, this should be forbidden by JBoss security. Is this true?
Because what I'm observing is that JBoss security only forbids such method invocation if the user's password has been changed in the underlying data source during the user's session. As long as the user's password has not been changed the secure method can be invoked after the principal has been removed and after the session has been destroyed.
Check out the attached application.
1. Make a browser request against localhost/Foobar. You will be redirected to index.xhtml.
2. Login
3. If login is successful, you will be served loggedIn.xhtml, a facelet that allows you to change the password or log out. If you change the password loggedIn.xhtml is reloaded.
4. Re-enter the password that you logged in with and click Submit New Password.
5. Click Logout Failure, which programmatically logs you out and ends the session prior to looking up LoginHistoryService and invoking LoginHistoryService#create.
6. Notice that no error occurred. LoginHistoryService EJB, which is protected by @RolesAllowed("SYSTEM_ADMINISTRATOR"), was looked up and LoginHistoryService#create was invoked after programmatic logout.
7. Repeat steps 2 - 5 except on step 4 enter a different password. Notice that in step 6 an error occurs, EJBAccessException: JBAS013323: Invalid User. In the stack trace note the following:
PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
In both scenarios, above, the password was changed in the underlying database during the user's session. Only difference being that in one case the password was identical to the login password and in the other case the password was changed to a different password. In both cases HttpServletRequest#logout and HttpSession#invalidate were invoked prior to invoking LoginHistoryService#create.
8. Repeat steps 2 - 7 except on step 5 click Logout Success instead of Logout Failure. The only difference between Logout Failure and Logout Success is that LoginHistory#create is invoked prior to HttpServletRequest#logout and HttpSession#invalidate. What step 8 demonstrates is that JBoss Security behaves as expected when LoginHistoryService#create is invoked prior to removing the principal and destroying the session.
It seems that in the above scenarios JBoss Security should not attempt to authenticate the user after HttpServletRequest#logout is invoked. Instead of attempting to authenticate it should be attempting to authorize, and if the principal has been removed the error should come back as follows:
javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void com.foobar.service.LoginHistoryService.create(com.foobar.model.LoginHistory) of bean: LoginHistoryService is not allowed
instead of the FailedLoginException.
I will finish my wiki article and post it with the quickstart after this confusion is resolved.