[jboss-jira] [JBoss JIRA] Created: (JBAS-4747) WebAuthentication programmatic login prevents the user from ever logging out
Matt Cristantello (JIRA)
jira-events at lists.jboss.org
Fri Sep 21 17:38:11 EDT 2007
WebAuthentication programmatic login prevents the user from ever logging out
----------------------------------------------------------------------------
Key: JBAS-4747
URL: http://jira.jboss.com/jira/browse/JBAS-4747
Project: JBoss Application Server
Issue Type: Bug
Security Level: Public (Everyone can see)
Components: Security
Affects Versions: JBossAS-4.2.1.GA
Environment: CentOS 3, JDK 1.5.0_12, JBoss Portal 2.6.1.GA with JBoss AS 4.2.1.GA, set up in ClusteredSingleSignOn mode
Reporter: Matt Cristantello
Assigned To: Scott M Stark
When using the WebAuthentication login(String,String) method, it is not possible to log out even if the logoff() method of the WebAuthentication is called.
Code:
auto_login.jsp
<%@page import="org.jboss.web.tomcat.security.login.WebAuthentication"%>
<%
WebAuthentication pwl = new WebAuthentication();
pwl.login("user", "user");
response.sendRedirect("test.jsp");
%>
logout.jsp
<%@page import="org.jboss.web.tomcat.security.login.WebAuthentication"%>
<%
WebAuthentication pwl = new WebAuthentication();
pwl.logout();
%>
<p>Successfully logged out</p>
test.jsp
<html>
<head>
<title>Test Page</title>
</head>
<body>
<p>Username: <%=request.getRemoteUser() %></p>
<p><a href="logout.jsp">Log Out</a></p>
</body>
</html>
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app id="WebApp_ID" version="2.4"
xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name>test</display-name>
<welcome-file-list>
<welcome-file>index.html</welcome-file>
<welcome-file>index.htm</welcome-file>
<welcome-file>index.jsp</welcome-file>
<welcome-file>default.html</welcome-file>
<welcome-file>default.htm</welcome-file>
<welcome-file>default.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<web-resource-collection>
<web-resource-name>test</web-resource-name>
<url-pattern>/test.jsp</url-pattern>
<http-method>POST</http-method>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<description>Authentication required</description>
<role-name>Authenticated</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>JBoss Portal</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<role-name>Authenticated</role-name>
</security-role>
</web-app>
jboss-web.xml
<?xml version="1.0"?>
<!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD J2EE Application 1.4//EN" "http://www.jboss.org/j2ee/dtd/jboss-app_4_0.dtd">
<jboss-web>
<security-domain>java:jaas/portal</security-domain>
</jboss-web>
Steps:
1. Log in by navigating to auto_login.jsp
2. Click the log out link, or otherwise navigate to the logout.jsp page.
3. Navigate back to the test.jsp page.
You will still be logged in.
This problem also occurs with the JBoss Portal 2.6.1, where I am automatically logged into the JBoss portal after running auto_login.jsp, but I cannot log out of the Portal using its logout button or the logout.jsp provided as an example above.
I am not seeing any entries in my server.log files when the logout methods are called, even with debug messages being logged.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list