[jboss-dev-forums] [Security Development] New message: "Auth Cache is not flushed after logout"

Harry Yan do-not-reply at jboss.com
Tue Feb 9 10:16:55 EST 2010 

JBoss development,

A new message was posted in the thread "Auth Cache is not flushed after logout":

http://community.jboss.org/message/525111#525111

Author  : Harry Yan
Profile : http://community.jboss.org/people/seekerYan

Message:
--------------------------------------------------------------
Hi, can anyone kindly help me?
Currently we tried to migrate our project from JBOSS 4.2 to 5.1, however the Authentication Cache is failed to be flushed after the logout method
is called which worked fine on JBOSS 4.2.Our project leverages the JAAS to do the Authentication and authorization.
Here is the code and config file.
1. LoginModule
We wrote a CustomLoginModule and CustomPrincipal by implementing LoginModule and Principal interfaces accordingly.
Enable the custom LoginModule in login-config.xml file
 
 
2. Create a Servlet which logins and calls an ejb bean method.
    protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        if (request.getParameter("logout") != null) {            try {
                // Logout                WebAuthentication webAuthentication = new WebAuthentication();                webAuthentication.logout();            } catch (Exception e) {                e.printStackTrace(out);            }        } else if (request.getParameter("login") != null) {            request.getSession(true);            InitialContext context = null;            try {
                // login method of our custom LoginModule is called.                WebAuthentication webAuthentication = new WebAuthentication();                if (webAuthentication.login(username, password)) {                    System.out.println("web authentication");                }                context = new InitialContext();                context.getEnvironment();                A a = (A) context.lookup("ejb/A");
                // call ejb method                a.helloWorld();                a.withoutRoels();                doGet(request, response);            } catch (Exception e) {                e.printStackTrace(out);            }        }
     }
 
3. Create a jboss-web.xml file with the content below
<?xml version="1.0" encoding="UTF-8"?><jboss-web>
<!-- Indicate that the cached auth should be flushed when session expires--><security-domain  flushOnSessionInvalidation="true">java:/jaas/FipcaAPUsers</security-domain>
</jboss-web>
 
4. Add annotation @SecurityDomain("java:/jaas/AppUsers") to ejb bean.
5. The web content is not secured itself, we have a login.jsp which has two buttons: login and logout, when one of the button is clicked, the servlet above is invoked.
 
On JBOSS 4.2, after we click on the logout, the Auth data is removed from the cache, as we can see that from the jmx-console. But now, on JBOSS 5.1, the auth data is always there. Am I doing anything wrong? Can anyone help me out, this problem has bothered me for quite a long time. I tried many ways but no success.
 
Thanks in advance!!!
 


--------------------------------------------------------------

To reply to this message visit the message page: http://community.jboss.org/message/525111#525111

More information about the jboss-dev-forums mailing list