From jira-events at lists.jboss.org Fri Sep 21 17:38:11 2007
Content-Type: multipart/mixed; boundary="===============6489990536681393241=="
MIME-Version: 1.0
From: Matt Cristantello (JIRA) <jira-events at lists.jboss.org>
To: jboss-jira at lists.jboss.org
Subject: [jboss-jira] [JBoss JIRA] Created: (JBAS-4747) WebAuthentication
 programmatic login prevents the user from ever logging out
Date: Fri, 21 Sep 2007 17:38:11 -0400
Message-ID: <2656556.1190410691242.JavaMail.jira@cloud.prod.atl2.jboss.com>

--===============6489990536681393241==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

WebAuthentication programmatic login prevents the user from ever logging out
----------------------------------------------------------------------------

                 Key: JBAS-4747
                 URL: http://jira.jboss.com/jira/browse/JBAS-4747
             Project: JBoss Application Server
          Issue Type: Bug
      Security Level: Public (Everyone can see)
          Components: Security
    Affects Versions: JBossAS-4.2.1.GA
         Environment: CentOS 3, JDK 1.5.0_12, JBoss Portal 2.6.1.GA with JB=
oss AS 4.2.1.GA, set up in ClusteredSingleSignOn mode
            Reporter: Matt Cristantello
         Assigned To: Scott M Stark


When using the WebAuthentication login(String,String) method, it is not pos=
sible to log out even if the logoff() method of the WebAuthentication is ca=
lled.

Code:
auto_login.jsp
<%@page import=3D"org.jboss.web.tomcat.security.login.WebAuthentication"%>
<%
	WebAuthentication pwl =3D new WebAuthentication();
	pwl.login("user", "user");
	=

	response.sendRedirect("test.jsp");
%>

logout.jsp
<%@page import=3D"org.jboss.web.tomcat.security.login.WebAuthentication"%>
<%
	WebAuthentication pwl =3D new WebAuthentication();
	pwl.logout();
%>
<p>Successfully logged out</p>

test.jsp
<html>
<head>
	<title>Test Page</title>
</head>
<body>
<p>Username: <%=3Drequest.getRemoteUser() %></p>
<p><a href=3D"logout.jsp">Log Out</a></p>
</body>
</html>

web.xml
<?xml version=3D"1.0" encoding=3D"UTF-8"?>
<web-app id=3D"WebApp_ID" version=3D"2.4"
	xmlns=3D"http://java.sun.com/xml/ns/j2ee"
	xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation=3D"http://java.sun.com/xml/ns/j2ee http://java.sun.com/=
xml/ns/j2ee/web-app_2_4.xsd">
	<display-name>test</display-name>
	<welcome-file-list>
		<welcome-file>index.html</welcome-file>
		<welcome-file>index.htm</welcome-file>
		<welcome-file>index.jsp</welcome-file>
		<welcome-file>default.html</welcome-file>
		<welcome-file>default.htm</welcome-file>
		<welcome-file>default.jsp</welcome-file>
	</welcome-file-list>
	<security-constraint>
		<web-resource-collection>
			<web-resource-name>test</web-resource-name>
			<url-pattern>/test.jsp</url-pattern>
			<http-method>POST</http-method>
			<http-method>GET</http-method>
		</web-resource-collection>
		<auth-constraint>
			<description>Authentication required</description>
			<role-name>Authenticated</role-name>
		</auth-constraint>
	</security-constraint>
	<login-config>
		<auth-method>FORM</auth-method>
		<realm-name>JBoss Portal</realm-name>
		<form-login-config>
			<form-login-page>/login.jsp</form-login-page>
			<form-error-page>/error.jsp</form-error-page>
		</form-login-config>
	</login-config>
	<security-role>
		<role-name>Authenticated</role-name>
	</security-role>
</web-app>

jboss-web.xml
<?xml version=3D"1.0"?>
<!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD J2EE Application 1.4//EN" "http:/=
/www.jboss.org/j2ee/dtd/jboss-app_4_0.dtd">
<jboss-web>
	<security-domain>java:jaas/portal</security-domain>
</jboss-web>

Steps:
1. Log in by navigating to auto_login.jsp
2. Click the log out link, or otherwise navigate to the logout.jsp page.
3. Navigate back to the test.jsp page.

You will still be logged in.

This problem also occurs with the JBoss Portal 2.6.1, where I am automatica=
lly logged into the JBoss portal after running auto_login.jsp, but I cannot=
 log out of the Portal using its logout button or the logout.jsp provided a=
s an example above.

I am not seeing any entries in my server.log files when the logout methods =
are called, even with debug messages being logged.

-- =

This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: htt=
p://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       =20

--===============6489990536681393241==--

From jira-events at lists.jboss.org Mon Oct  1 15:39:41 2007
Content-Type: multipart/mixed; boundary="===============4159744974753342190=="
MIME-Version: 1.0
From: Matt Cristantello (JIRA) <jira-events at lists.jboss.org>
To: jboss-jira at lists.jboss.org
Subject: [jboss-jira] [JBoss JIRA] Closed: (JBAS-4747) WebAuthentication
 programmatic login prevents the user from ever logging out
Date: Mon, 01 Oct 2007 15:39:41 -0400
Message-ID: <5335662.1191267581274.JavaMail.jira@cloud.prod.atl2.jboss.com>
In-Reply-To: 2656556.1190410691242.JavaMail.jira@cloud.prod.atl2.jboss.com

--===============4159744974753342190==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

     [ http://jira.jboss.com/jira/browse/JBAS-4747?page=3Dall ]

Matt Cristantello closed JBAS-4747.
-----------------------------------

    Resolution: Cannot Reproduce Bug

I can't duplicate this anymore, it must have been an issue with some weird =
cookies being set in my browser.

Sorry,
~Matt

> WebAuthentication programmatic login prevents the user from ever logging =
out
> -------------------------------------------------------------------------=
---
>
>                 Key: JBAS-4747
>                 URL: http://jira.jboss.com/jira/browse/JBAS-4747
>             Project: JBoss Application Server
>          Issue Type: Bug
>      Security Level: Public(Everyone can see) =

>          Components: Security
>    Affects Versions: JBossAS-4.2.1.GA
>         Environment: CentOS 3, JDK 1.5.0_12, JBoss Portal 2.6.1.GA with J=
Boss AS 4.2.1.GA, set up in ClusteredSingleSignOn mode
>            Reporter: Matt Cristantello
>         Assigned To: Scott M Stark
>
> When using the WebAuthentication login(String,String) method, it is not p=
ossible to log out even if the logoff() method of the WebAuthentication is =
called.
> Code:
> auto_login.jsp
> <%@page import=3D"org.jboss.web.tomcat.security.login.WebAuthentication"%>
> <%
> 	WebAuthentication pwl =3D new WebAuthentication();
> 	pwl.login("user", "user");
> 	=

> 	response.sendRedirect("test.jsp");
> %>
> logout.jsp
> <%@page import=3D"org.jboss.web.tomcat.security.login.WebAuthentication"%>
> <%
> 	WebAuthentication pwl =3D new WebAuthentication();
> 	pwl.logout();
> %>
> <p>Successfully logged out</p>
> test.jsp
> <html>
> <head>
> 	<title>Test Page</title>
> </head>
> <body>
> <p>Username: <%=3Drequest.getRemoteUser() %></p>
> <p><a href=3D"logout.jsp">Log Out</a></p>
> </body>
> </html>
> web.xml
> <?xml version=3D"1.0" encoding=3D"UTF-8"?>
> <web-app id=3D"WebApp_ID" version=3D"2.4"
> 	xmlns=3D"http://java.sun.com/xml/ns/j2ee"
> 	xmlns:xsi=3D"http://www.w3.org/2001/XMLSchema-instance"
> 	xsi:schemaLocation=3D"http://java.sun.com/xml/ns/j2ee http://java.sun.co=
m/xml/ns/j2ee/web-app_2_4.xsd">
> 	<display-name>test</display-name>
> 	<welcome-file-list>
> 		<welcome-file>index.html</welcome-file>
> 		<welcome-file>index.htm</welcome-file>
> 		<welcome-file>index.jsp</welcome-file>
> 		<welcome-file>default.html</welcome-file>
> 		<welcome-file>default.htm</welcome-file>
> 		<welcome-file>default.jsp</welcome-file>
> 	</welcome-file-list>
> 	<security-constraint>
> 		<web-resource-collection>
> 			<web-resource-name>test</web-resource-name>
> 			<url-pattern>/test.jsp</url-pattern>
> 			<http-method>POST</http-method>
> 			<http-method>GET</http-method>
> 		</web-resource-collection>
> 		<auth-constraint>
> 			<description>Authentication required</description>
> 			<role-name>Authenticated</role-name>
> 		</auth-constraint>
> 	</security-constraint>
> 	<login-config>
> 		<auth-method>FORM</auth-method>
> 		<realm-name>JBoss Portal</realm-name>
> 		<form-login-config>
> 			<form-login-page>/login.jsp</form-login-page>
> 			<form-error-page>/error.jsp</form-error-page>
> 		</form-login-config>
> 	</login-config>
> 	<security-role>
> 		<role-name>Authenticated</role-name>
> 	</security-role>
> </web-app>
> jboss-web.xml
> <?xml version=3D"1.0"?>
> <!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD J2EE Application 1.4//EN" "http=
://www.jboss.org/j2ee/dtd/jboss-app_4_0.dtd">
> <jboss-web>
> 	<security-domain>java:jaas/portal</security-domain>
> </jboss-web>
> Steps:
> 1. Log in by navigating to auto_login.jsp
> 2. Click the log out link, or otherwise navigate to the logout.jsp page.
> 3. Navigate back to the test.jsp page.
> You will still be logged in.
> This problem also occurs with the JBoss Portal 2.6.1, where I am automati=
cally logged into the JBoss portal after running auto_login.jsp, but I cann=
ot log out of the Portal using its logout button or the logout.jsp provided=
 as an example above.
> I am not seeing any entries in my server.log files when the logout method=
s are called, even with debug messages being logged.

-- =

This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: htt=
p://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       =20

--===============4159744974753342190==--