[jboss-user] [Security & JAAS/JBoss] - basic authentication cached credential without invalidate se

Thursday, 27 March 2008

Hello to everybody,
I am using JBoss with basic authentication and I am seeing a strange behaviour.

At the front of JBoss I have a single sign-on system that unifies the login of the user
but unfortunately it doesn't clear any session cookie when the user makes logout.

So with JBoss 4.0.2, I saw the following behaviour:

1. I authenticate myself as user1 and I see the page (of a web-app) with my data

2. I make logout (the session cookies are kept)

3. I authenticate myself as user2 and I see the page (of a web-app) with my data

4. I make logout (the session cookies are kept)

5. I authenticate myself again as user3 and I see the page (of a web-app) data of user2 !

It seems as JBoss at the second time keeps the previuos authentication because it sees
some session cookie.

This behaviour doesn't appear with JBoss 3.2.3

View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4139358#...

Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

[jboss-user] [Security & JAAS/JBoss] - basic authentication cached credential without invalidate se