WebAuthentication programmatic login prevents the user from ever logging out ---------------------------------------------------------------------------- Key: JBAS-4747 URL: http://jira.jboss.com/jira/browse/JBAS-4747 Project: JBoss Application Server Issue Type: Bug Security Level: Public (Everyone can see) Components: Security Affects Versions: JBossAS-4.2.1.GA Environment: CentOS 3, JDK 1.5.0_12, JBoss Portal 2.6.1.GA with JBoss AS 4.2.1.GA, set up in ClusteredSingleSignOn mode Reporter: Matt Cristantello Assigned To: Scott M Stark When using the WebAuthentication login(String,String) method, it is not possible to log out even if the logoff() method of the WebAuthentication is called. Code: auto_login.jsp <%@page import="org.jboss.web.tomcat.security.login.WebAuthentication"%> <% WebAuthentication pwl = new WebAuthentication(); pwl.login("user", "user"); response.sendRedirect("test.jsp"); %> logout.jsp <%@page import="org.jboss.web.tomcat.security.login.WebAuthentication"%> <% WebAuthentication pwl = new WebAuthentication(); pwl.logout(); %> <p>Successfully logged out</p> test.jsp <html> <head> <title>Test Page</title> </head> <body> <p>Username: <%=request.getRemoteUser() %></p> <p><a href="logout.jsp">Log Out</a></p> </body> </html> web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app id="WebApp_ID" version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"> <display-name>test</display-name> <welcome-file-list> <welcome-file>index.html</welcome-file> <welcome-file>index.htm</welcome-file> <welcome-file>index.jsp</welcome-file> <welcome-file>default.html</welcome-file> <welcome-file>default.htm</welcome-file> <welcome-file>default.jsp</welcome-file> </welcome-file-list> <security-constraint> <web-resource-collection> <web-resource-name>test</web-resource-name> <url-pattern>/test.jsp</url-pattern> <http-method>POST</http-method> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <description>Authentication required</description> <role-name>Authenticated</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>FORM</auth-method> <realm-name>JBoss Portal</realm-name> <form-login-config> <form-login-page>/login.jsp</form-login-page> <form-error-page>/error.jsp</form-error-page> </form-login-config> </login-config> <security-role> <role-name>Authenticated</role-name> </security-role> </web-app> jboss-web.xml <?xml version="1.0"?> <!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD J2EE Application 1.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-app_4_0.dtd"> <jboss-web> <security-domain>java:jaas/portal</security-domain> </jboss-web> Steps: 1. Log in by navigating to auto_login.jsp 2. Click the log out link, or otherwise navigate to the logout.jsp page. 3. Navigate back to the test.jsp page. You will still be logged in. This problem also occurs with the JBoss Portal 2.6.1, where I am automatically logged into the JBoss portal after running auto_login.jsp, but I cannot log out of the Portal using its logout button or the logout.jsp provided as an example above. I am not seeing any entries in my server.log files when the logout methods are called, even with debug messages being logged. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira