[JBoss JIRA] (ELY-904) Logout notification support for HTTP-based authentication mechanisms

Thursday, 2 February 2017

    [
https://issues.jboss.org/browse/ELY-904?page=com.atlassian.jira.plugin.sy...
] 

Pedro Igor edited comment on ELY-904 at 2/2/17 9:31 PM:
--------------------------------------------------------

[~darranl], another use case we should keep in mind is mechanisms that rely on cookies
which can be removed during logout. Where logout may be triggered programmatically.

I've worked on a solution that works for SESSION based mechanisms using notifications.
But for cookie-based mechanisms, programmatic logout doesn't work because we process
the "responders" right after evaluating a request during authentication. In this
case, notifications can be triggered by the application (e.g.: a servlet + programmatic
logout) after responders are processed, what makes impossible to notification listeners
write to the response. 

was (Author: pcraveiro):
[~darranl], another use case we should keep in mind is mechanisms that rely on cookies
which can be removed during logout. Where logout may be triggered programmatically.

I've worked on a solution that works for SESSION based mechanisms using notifications.
But for cookie-based mechanisms, programmatic logout doesn't work because we process
the "responders" right after evaluating a request for during authentication. In
this case, notifications can be triggered by the application (e.g.: a servlet +
programmatic logout) after responders are processed, what makes impossible to notification
listeners write to the response. 

...
 Logout notification support for HTTP-based authentication mechanisms
 --------------------------------------------------------------------

                 Key: ELY-904
                 URL: https://issues.jboss.org/browse/ELY-904
             Project: WildFly Elytron
          Issue Type: Enhancement
          Components: HTTP
    Affects Versions: 1.1.0.Beta21
            Reporter: Pedro Igor
            Assignee: Pedro Igor

 I think it makes sense to also allow HTTP mechanisms to handle logouts. Logout is tightly
related with authentication and mechanisms should be able to act properly during logout
requests.
 Although only a few set of mechanisms support logout, I think adding a default method 
{{org.wildfly.security.http.HttpServerAuthenticationMechanism#logout}} will make our API
even more complete and capable of supporting more use cases.
 The main use case for this enhancement is programmatic logout. In this case, logout can
be triggered from inside an application which in turn delegates the logout logic to the
mechanism that authenticated an user.
 Considering Elytron Web, this enhancement would make integration with other containers
even more simple and avoid dealing with specific logout mechanisms (e.g.: notifications)
provided by these same containers. This is specially true for servlet containers. 

--
This message was sent by Atlassian JIRA
(v7.2.3#72005)

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006