[jboss-jira] [JBoss JIRA] (SECURITY-876) Web initiated logout doesn't clear authenticated identity in EJB
Arjan t (JIRA)
issues at jboss.org
Thu Mar 12 09:51:19 EDT 2015
[ https://issues.jboss.org/browse/SECURITY-876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13049402#comment-13049402 ]
Arjan t commented on SECURITY-876:
----------------------------------
After some more experimenting with this, the following handler seems to do the trick as a workaround, but it's a bit nasty to require this of course. It now uses the hardcoded "other" domain.
{code:java}
public final class AuthEventHandler implements HttpHandler {
private static final Logger log = Logger.getLogger(AuthEventHandler.class);
private final HttpHandler next;
public AuthEventHandler(final HttpHandler next) {
this.next = next;
}
@Override
public void handleRequest(HttpServerExchange exchange) throws Exception {
exchange.getSecurityContext().registerNotificationReceiver(new SecurityNotificationReceiver(exchange));
next.handleRequest(exchange);
}
private static class SecurityNotificationReceiver implements NotificationReceiver {
private final HttpServerExchange exchange;
public SecurityNotificationReceiver(HttpServerExchange exchange) {
this.exchange = exchange;
}
@Override
public void handleNotification(final SecurityNotification notification) {
switch (notification.getEventType()) {
case LOGGED_OUT:
try {
// For for when calling request#logout, the authenticated identity is still available for the
// EJB context
// Clear old one
SecurityContextAssociation.clearSecurityContext();
SecurityRolesAssociation.setSecurityRoles(null);
// Set a new one in case re-authentication is done within the same thread
SecurityContext securityContext = SecurityContextFactory.createSecurityContext("other");
if (exchange != null) {
exchange.putAttachment(SECURITY_CONTEXT_ATTACHMENT, securityContext);
}
SecurityContextAssociation.setSecurityContext(securityContext);
} catch (Exception e) {
log.error("Could not clear EJB security context", e);
}
break;
default:
break;
}
}
}
}
{code}
> Web initiated logout doesn't clear authenticated identity in EJB
> ----------------------------------------------------------------
>
> Key: SECURITY-876
> URL: https://issues.jboss.org/browse/SECURITY-876
> Project: PicketBox
> Issue Type: Bug
> Reporter: Arjan t
> Assignee: Stefan Guilhen
> Labels: authentication, ejb, jaspi, jaspic, security, security-context
>
> After having authenticated via JASPIC, calling {{HttpServletRequest#logout}} and then requesting the caller/user principal (all within the same request), WildFly 8.2 will correctly clear out the principal for the web context, but will NOT clear out the principal for the EJB context.
> Cross-checking with the RI (GlassFish 4.0/4.1) reveals that there the EJB context is indeed cleared out.
> As a workaround, calling the following code after logout (e.g. in an Undertow event handler for SecurityNotifications) will clear the EJB context, but this code should of course not be needed to be called by user apps:
> {code:java}
> SecurityContextAssociation.clearSecurityContext();
> SecurityRolesAssociation.setSecurityRoles(null);
> {code}
> A reproducer for this issue is available at: https://github.com/arjantijms/javaee7-samples/blob/master/jaspic/ejb-propagation/src/main/java/org/javaee7/jaspic/ejbpropagation/servlet/PublicServletPublicEJBLogout.java
> For WildFly 8.2 this will print:
> {noformat}
> web username: test
> EJB username: test
> web username after logout: null
> EJB username after logout: test
> {noformat}
> For GlassFish 4.0/4.1 this will print:
> {noformat}
> web username: test
> EJB username: test
> web username after logout: null
> EJB username after logout: ANONYMOUS
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
More information about the jboss-jira
mailing list