I am having a problem implementing a logout page for an Adobe Flex application on JBoss
4.2.2.GA. The application sends commands to a secure (via JAAS basic authentication) JBoss
Java servlet.
I apparently correctly implemented the basic security and a custom login module (extending
the AbtractServerLoginModule) since my web browser does request a username/password when I
first attempt to download the client application. At this point, since JBoss is using
basic authentication, the username/password is cached in my browser and sent with all
other command requests. Additionally, JBoss is using session cookies so my JSESSIONID
cookie is defined as well.
When a logout command is sent by the client application, I attempt to invalidate the
session by calling the getSession() method on the HttpServletRequest object and then
calling the invalidate() method on the returned session. However, this does not call the
logout method of my custom login module (which extends the AbtractServerLoginModule),
remove the principal from the JBoss JaasSecurityManager cache, nor apparently cause the
authentication cache of Internet Explorer to clear. In fact, it seems that the servlet
does not have a HTTP session associated with it and obtains a new session object when I
call the getSession() method (when I call getSession(false), a null reference is
returned). I do not understand this... or how I can access (and destroy) the current HTTP
session.
My jboss-web.xml in the application .ear contains the following:
| <?xml version="1.0" encoding="UTF-8"?>
| <jboss-web>
| <security-domain
flushOnSessionInvalidation="true">java:/jaas/MyRealm</security-domain>
| </jboss-web>
|
which as I understand it, should cause the logout method of my custom login module to be
called on session invalidation.
I did manage to clear the JaasSecurityManager cache programatically (which calls my logout
method), but that still leaves the cache on Internet Explorer intact and the HTTP session
still exists...
| String domain = "MyRealm";
| Principal user = req.getUserPrincipal(); // req is HttpServletRequest
| ObjectName jaasMgr = new ObjectName(
"jboss.security:service=JaasSecurityManager" );
| Object[] params = { domain, user };
| String[] signature = { "java.lang.String", Principal.class.getName() };
| MBeanServer server = ( MBeanServer ) MBeanServerFactory.findMBeanServer( null ).get( 0
);
| server.invoke( jaasMgr, "flushAuthenticationCache", params, signature );
|
I would like to destroy the session data (hopefully clearing the JSESSIONID cookie,
calling my logout method, and clearing the browser authentication cache).
Do I need to access the HTTP session information in a cache somewhere? And if so, how do I
access it? Any thoughts or suggestions? I could really use some expert advice...
Kerry
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4125284#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...