[jboss-user] [Security & JAAS/JBoss] - Why AbstractServerLoginModule.logout is not removing added r

Thursday, 22 March 2007

Hi,

I just came across a situation in which the sessionContext.getCallerPrincipal() returns
null because the principal was removed from the subject during logout, which is OK. The
funny thing is that, because AbstractServerLoginModule is not removing any added roles,
the RBAC still lets the 'null' caller principal call the method annotated with
@RolesAllowed. Why is AbstractServerLoginModule not removing the added roles while
removing the principal from the subject?

Frank.

View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4030523#...

Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-user] [Security & JAAS/JBoss] - Why AbstractServerLoginModule.logout is not removing added r