[jboss-jira] [JBoss JIRA] (WFLY-4101) JAAS logout not called if cache-type is set to a value different than "default"
Stefan Guilhen (JIRA)
issues at jboss.org
Wed Nov 19 22:35:39 EST 2014
Stefan Guilhen created WFLY-4101:
------------------------------------
Summary: JAAS logout not called if cache-type is set to a value different than "default"
Key: WFLY-4101
URL: https://issues.jboss.org/browse/WFLY-4101
Project: WildFly
Issue Type: Bug
Components: Security
Affects Versions: 9.0.0.Alpha1
Reporter: Stefan Guilhen
Assignee: Stefan Guilhen
Fix For: 9.0.0.Beta1
Currently HttpServletRequest.logout() and Session.invalidate() rely on the AuthenticationManager.flushCache() method to perform the JAAS logout. Internally, flushCache() removes the cache entry and a cache listener takes care of the JAAS logout upon eviction.
However, this is only true for cache-type="default". If the "inifinspan" cache is configured, no such eviction listener exists and thus no JAAS logout is carried upon entry removal. Similarly, a JAAS logout is never carried if the security domain doesn't use a cache at all. Only the presence of a cache with a special eviction listener will result in logout being called on the login module, which is obviously a faulty design.
Latest PicketBox version adds a logout(Principal, Subject) method to the AuthenticationManager interface. The default implementation used by WildFly takes care of flushing the cache if needed and performs the JAAS logout independently of the cache policy being used. The code that is currently calling AuthenticationManager.flushCache() must be changed so that logout() is called instead.
--
This message was sent by Atlassian JIRA
(v6.3.8#6338)
More information about the jboss-jira
mailing list