[jboss-jira] [JBoss JIRA] (SECURITY-876) Web initiated logout doesn't clear authenticated identity in EJB
Arjan t (JIRA)
issues at jboss.org
Mon Feb 23 12:21:49 EST 2015
Arjan t created SECURITY-876:
--------------------------------
Summary: Web initiated logout doesn't clear authenticated identity in EJB
Key: SECURITY-876
URL: https://issues.jboss.org/browse/SECURITY-876
Project: PicketBox
Issue Type: Bug
Reporter: Arjan t
Assignee: Stefan Guilhen
After having authenticated via JASPIC, calling {{HttpServletRequest#logout}} and then requesting the caller/user principal (all within the same request), WildFly 8.2 will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.
Cross-checking with the RI (GlassFish 4.0/4.1) reveals that there the EJB context is indeed cleared out.
As a workaround, calling the following code after logout (e.g. in an Undertow event handler for SecurityNotifications) will clear the EJB context, but this code should of course not be needed to be called by user apps:
{code:java}
SecurityContextAssociation.clearSecurityContext();
SecurityRolesAssociation.setSecurityRoles(null);
{code}
A reproducer for this issue is available at: https://github.com/arjantijms/javaee7-samples/blob/master/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/servlet/PublicServletPublicEJBLogout.java
For WildFly 8.2 this will print:
{noformat}
web username: test
EJB username: test
web username after logout: null
EJB username after logout: test
{noformat}
For GlassFish 4.0/4.1 this will print:
{noformat}
web username: test
EJB username: test
web username after logout: null
EJB username after logout: ANONYMOUS
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
More information about the jboss-jira
mailing list